CVE-2026-2893
Received Received - Intake
Second-Order SQL Injection in WordPress Page and Post Clone Plugin

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Wordfence

Description
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2893
EUVD
EUVD-2026-9811
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence page_and_post_clone to 6.3 (inc)
wordfence cf_page_or_post_duplicator to 6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in the Page and Post Clone plugin for WordPress is a SQL Injection issue occurring via the 'meta_key' parameter in the content_clone() function. This happens because the plugin does not properly escape or prepare the user-supplied meta_key value when duplicating post metadata. As a result, authenticated users with Contributor-level access or higher can inject additional SQL queries into existing database queries."}, {'type': 'paragraph', 'content': 'This injection is second-order, meaning the malicious SQL payload is stored as a post meta key and only executed later when the post is cloned. This allows attackers to extract sensitive information from the database by appending unauthorized SQL commands.'}] [2]

Impact Analysis

This vulnerability can allow an authenticated attacker with at least Contributor-level access to execute unauthorized SQL queries on the WordPress database. This can lead to the extraction of sensitive information stored in the database.

Because the injection is second-order, the attacker can store malicious SQL code as post metadata that is executed later during the cloning process, potentially bypassing some immediate detection.

The impact includes unauthorized data disclosure, which can compromise the confidentiality of the website's data, but it does not directly affect data integrity or availability according to the CVSS score.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves SQL Injection via the 'meta_key' parameter in the content_clone() function of the Page and Post Clone WordPress plugin. Detection would involve identifying attempts to exploit this SQL Injection by monitoring for unusual or malicious SQL queries related to post meta data duplication.

Since the vulnerability requires authenticated users with Contributor-level access or higher to exploit, detection can focus on monitoring WordPress logs for suspicious cloning actions or unusual database queries involving the postmeta table.

Specific commands to detect exploitation attempts are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Page and Post Clone plugin to version 6.4 or later, where the issue has been fixed by replacing unsafe SQL query construction with prepared statements and parameterized inserts.

Ensure that your WordPress installation and all plugins are kept up to date to benefit from security patches.

Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires such access to be exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart