CVE-2026-2893
Second-Order SQL Injection in WordPress Page and Post Clone Plugin
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | page_and_post_clone | to 6.3 (inc) |
| wordfence | cf_page_or_post_duplicator | to 6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in the Page and Post Clone plugin for WordPress is a SQL Injection issue occurring via the 'meta_key' parameter in the content_clone() function. This happens because the plugin does not properly escape or prepare the user-supplied meta_key value when duplicating post metadata. As a result, authenticated users with Contributor-level access or higher can inject additional SQL queries into existing database queries."}, {'type': 'paragraph', 'content': 'This injection is second-order, meaning the malicious SQL payload is stored as a post meta key and only executed later when the post is cloned. This allows attackers to extract sensitive information from the database by appending unauthorized SQL commands.'}] [2]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with at least Contributor-level access to execute unauthorized SQL queries on the WordPress database. This can lead to the extraction of sensitive information stored in the database.
Because the injection is second-order, the attacker can store malicious SQL code as post metadata that is executed later during the cloning process, potentially bypassing some immediate detection.
The impact includes unauthorized data disclosure, which can compromise the confidentiality of the website's data, but it does not directly affect data integrity or availability according to the CVSS score.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL Injection via the 'meta_key' parameter in the content_clone() function of the Page and Post Clone WordPress plugin. Detection would involve identifying attempts to exploit this SQL Injection by monitoring for unusual or malicious SQL queries related to post meta data duplication.
Since the vulnerability requires authenticated users with Contributor-level access or higher to exploit, detection can focus on monitoring WordPress logs for suspicious cloning actions or unusual database queries involving the postmeta table.
Specific commands to detect exploitation attempts are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Page and Post Clone plugin to version 6.4 or later, where the issue has been fixed by replacing unsafe SQL query construction with prepared statements and parameterized inserts.
Ensure that your WordPress installation and all plugins are kept up to date to benefit from security patches.
Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires such access to be exploited.