WordPress Plugin Vulnerabilities

Duplicate Page < 3.4 - Authenticated SQL Injection

Description

This vulnerability is exploitable by any users with an account on the vulnerable site (regardless of the privileges they have – e.g., subscribers)

Affects Plugins

Plugin icon
duplicate-page
Fixed in 3.4

References

URL
https://blog.sucuri.net/2019/04/sql-injection-in-duplicate-page-wordpress-plugin.html
URL
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2060758%40duplicate-page&old=2050443%40duplicate-page&sfp_email=&sfph_mail=

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.5 (high)

Miscellaneous

Original Researcher
Marc-Alexandre Montpas
Submitter
Marc-Alexandre Montpas
Submitter website
https://sucuri.net
Submitter twitter
@marcS0H
Verified
No
WPVDB ID
d668ff1a-7c38-4d7c-95a0-a64f5e741f2e

Timeline

Publicly Published
2019-04-05 (about 7 years ago)
Added
2019-04-06 (about 7 years ago)
Last Updated
2020-04-24 (about 6 years ago)

Other

Published
Title
Published
2026-05-04
Title
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation < 1.2.1 - Unauthenticated SQL Injection via 'attributekey'
Published
2015-07-15
Title
Auto Affiliate Links < 5.0 - Authenticated Blind SQL Injection
Published
2022-03-02
Title
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
Published
2014-08-01
Title
Rockhoist Ratings 1.2.2 - wp-admin/admin-ajax.php postID Parameter SQL Injection
Published
2026-01-06
Title
FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection