Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for post_duplicator by metaphorcreations

    CVE-2025-24736 (GCVE-0-2025-24736)

    Vulnerability from nvd – Published: 2025-01-24 17:25 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress Post Duplicator plugin <= 2.35 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    metaphorcreations Post Duplicator Affected: 0 , ≤ 2.35 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:34
    Credits
    Mika | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-24T17:48:34.022743Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:01:15.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "post-duplicator",
              "product": "Post Duplicator",
              "vendor": "metaphorcreations",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.36",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mika | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:34:41.879Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Post Duplicator: from n/a through \u003c= 2.35.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through \u003c= 2.35."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:33.584Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-2-35-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Post Duplicator plugin \u003c= 2.35 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-24736",
        "datePublished": "2025-01-24T17:25:23.804Z",
        "dateReserved": "2025-01-23T14:52:51.692Z",
        "dateUpdated": "2026-04-28T16:11:33.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12472 (GCVE-0-2024-12472)

    Vulnerability from nvd – Published: 2025-01-11 02:20 – Updated: 2026-04-08 16:44
    VLAI
    Title
    Post Duplicator <= 2.36 - Authenticated (Contributor+) Protected Post Disclosure
    Summary
    The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    metaphorcreations Post Duplicator Affected: 0 , ≤ 2.36 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T19:54:32.769531Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-13T19:54:40.574Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Post Duplicator",
              "vendor": "metaphorcreations",
              "versions": [
                {
                  "lessThanOrEqual": "2.36",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:49.660Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3071b2dc-9673-4e30-bd04-7404eb6a1ed9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3219375%40post-duplicator\u0026new=3219375%40post-duplicator\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-10T14:15:46.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Post Duplicator \u003c= 2.36 - Authenticated (Contributor+) Protected Post Disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-12472",
        "datePublished": "2025-01-11T02:20:53.726Z",
        "dateReserved": "2024-12-10T22:47:37.270Z",
        "dateUpdated": "2026-04-08T16:44:49.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49835 (GCVE-0-2023-49835)

    Vulnerability from nvd – Published: 2024-12-09 11:30 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress Post Duplicator plugin <= 2.31 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Metaphor Creations Post Duplicator Affected: n/a , ≤ 2.31 (custom)
    Create a notification for this product.
    Credits
    Huynh Tien Si (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49835",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T17:37:02.006687Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-09T18:01:35.995Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "post-duplicator",
              "product": "Post Duplicator",
              "vendor": "Metaphor Creations",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.32",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.31",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Huynh Tien Si (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Post Duplicator: from n/a through 2.31.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:58.104Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-2-31-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress Post Duplicator plugin to the latest available version (at least 2.32)."
                }
              ],
              "value": "Update the WordPress Post Duplicator plugin to the latest available version (at least 2.32)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Post Duplicator plugin \u003c= 2.31 - Broken Access Control vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49835",
        "datePublished": "2024-12-09T11:30:06.738Z",
        "dateReserved": "2023-11-30T17:12:29.821Z",
        "dateUpdated": "2026-04-28T16:08:58.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2016-15027 (GCVE-0-2016-15027)

    Vulnerability from nvd – Published: 2023-02-20 17:00 – Updated: 2024-08-06 03:47
    VLAI
    Title
    meta4creations Post Duplicator Plugin notices.php mtphr_post_duplicator_notice cross site scripting
    Summary
    A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496.
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    Impacted products
    Credits
    VulDB GitHub Commit Analyzer
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T03:47:34.980Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.221496"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.221496"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/meta4creations/post-duplicator/commit/ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/meta4creations/post-duplicator/releases/tag/2.19"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Post Duplicator Plugin",
              "vendor": "meta4creations",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB GitHub Commit Analyzer"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in meta4creations Post Duplicator Plugin 2.18 f\u00fcr WordPress ausgemacht. Hiervon betroffen ist die Funktion mtphr_post_duplicator_notice der Datei includes/notices.php. Dank der Manipulation des Arguments post-duplicated mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Ein Aktualisieren auf die Version 2.19 vermag dieses Problem zu l\u00f6sen. Der Patch wird als ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-20T11:19:12.288Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.221496"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.221496"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/meta4creations/post-duplicator/commit/ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/meta4creations/post-duplicator/releases/tag/2.19"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-19T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-02-19T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-02-19T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-03-23T10:26:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "meta4creations Post Duplicator Plugin notices.php mtphr_post_duplicator_notice cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2016-15027",
        "datePublished": "2023-02-20T17:00:05.423Z",
        "dateReserved": "2023-02-19T08:24:12.937Z",
        "dateUpdated": "2024-08-06T03:47:34.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33852 (GCVE-0-2021-33852)

    Vulnerability from nvd – Published: 2022-03-09 16:54 – Updated: 2024-08-04 00:05
    VLAI
    Summary
    A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.
    Severity
    No CVSS data available.
    CWE
    Assigner
    CSW
    References
    Impacted products
    Vendor Product Version
    n/a WordPress Post Duplicator Plugin Affected: Version 2.23
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:05:51.022Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WordPress Post Duplicator Plugin",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Version 2.23"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u0027s browser and can use an application as the vehicle for the attack. The XSS payload given in the \"Duplicate Title\" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-11T17:54:07.000Z",
            "orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
            "shortName": "CSW"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclose@cybersecurityworks.com",
              "ID": "CVE-2021-33852",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WordPress Post Duplicator Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Version 2.23"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u0027s browser and can use an application as the vehicle for the attack. The XSS payload given in the \"Duplicate Title\" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
        "assignerShortName": "CSW",
        "cveId": "CVE-2021-33852",
        "datePublished": "2022-03-09T16:54:43.000Z",
        "dateReserved": "2021-06-04T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:05:51.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24736 (GCVE-0-2025-24736)

    Vulnerability from cvelistv5 – Published: 2025-01-24 17:25 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress Post Duplicator plugin <= 2.35 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    metaphorcreations Post Duplicator Affected: 0 , ≤ 2.35 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:34
    Credits
    Mika | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-24T17:48:34.022743Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:01:15.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "post-duplicator",
              "product": "Post Duplicator",
              "vendor": "metaphorcreations",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.36",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mika | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:34:41.879Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Post Duplicator: from n/a through \u003c= 2.35.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through \u003c= 2.35."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:33.584Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-2-35-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Post Duplicator plugin \u003c= 2.35 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-24736",
        "datePublished": "2025-01-24T17:25:23.804Z",
        "dateReserved": "2025-01-23T14:52:51.692Z",
        "dateUpdated": "2026-04-28T16:11:33.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12472 (GCVE-0-2024-12472)

    Vulnerability from cvelistv5 – Published: 2025-01-11 02:20 – Updated: 2026-04-08 16:44
    VLAI
    Title
    Post Duplicator <= 2.36 - Authenticated (Contributor+) Protected Post Disclosure
    Summary
    The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    metaphorcreations Post Duplicator Affected: 0 , ≤ 2.36 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-13T19:54:32.769531Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-13T19:54:40.574Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Post Duplicator",
              "vendor": "metaphorcreations",
              "versions": [
                {
                  "lessThanOrEqual": "2.36",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to by duplicating the post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:49.660Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3071b2dc-9673-4e30-bd04-7404eb6a1ed9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3219375%40post-duplicator\u0026new=3219375%40post-duplicator\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-10T14:15:46.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Post Duplicator \u003c= 2.36 - Authenticated (Contributor+) Protected Post Disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-12472",
        "datePublished": "2025-01-11T02:20:53.726Z",
        "dateReserved": "2024-12-10T22:47:37.270Z",
        "dateUpdated": "2026-04-08T16:44:49.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49835 (GCVE-0-2023-49835)

    Vulnerability from cvelistv5 – Published: 2024-12-09 11:30 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress Post Duplicator plugin <= 2.31 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Metaphor Creations Post Duplicator Affected: n/a , ≤ 2.31 (custom)
    Create a notification for this product.
    Credits
    Huynh Tien Si (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49835",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T17:37:02.006687Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-09T18:01:35.995Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "post-duplicator",
              "product": "Post Duplicator",
              "vendor": "Metaphor Creations",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.32",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.31",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Huynh Tien Si (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Post Duplicator: from n/a through 2.31.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Metaphor Creations Post Duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through 2.31."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:58.104Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-2-31-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress Post Duplicator plugin to the latest available version (at least 2.32)."
                }
              ],
              "value": "Update the WordPress Post Duplicator plugin to the latest available version (at least 2.32)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Post Duplicator plugin \u003c= 2.31 - Broken Access Control vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49835",
        "datePublished": "2024-12-09T11:30:06.738Z",
        "dateReserved": "2023-11-30T17:12:29.821Z",
        "dateUpdated": "2026-04-28T16:08:58.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2016-15027 (GCVE-0-2016-15027)

    Vulnerability from cvelistv5 – Published: 2023-02-20 17:00 – Updated: 2024-08-06 03:47
    VLAI
    Title
    meta4creations Post Duplicator Plugin notices.php mtphr_post_duplicator_notice cross site scripting
    Summary
    A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496.
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    Impacted products
    Credits
    VulDB GitHub Commit Analyzer
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T03:47:34.980Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.221496"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.221496"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/meta4creations/post-duplicator/commit/ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/meta4creations/post-duplicator/releases/tag/2.19"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Post Duplicator Plugin",
              "vendor": "meta4creations",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.18"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB GitHub Commit Analyzer"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in meta4creations Post Duplicator Plugin 2.18 on WordPress. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in meta4creations Post Duplicator Plugin 2.18 f\u00fcr WordPress ausgemacht. Hiervon betroffen ist die Funktion mtphr_post_duplicator_notice der Datei includes/notices.php. Dank der Manipulation des Arguments post-duplicated mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Ein Aktualisieren auf die Version 2.19 vermag dieses Problem zu l\u00f6sen. Der Patch wird als ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-20T11:19:12.288Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.221496"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.221496"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/meta4creations/post-duplicator/commit/ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/meta4creations/post-duplicator/releases/tag/2.19"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-19T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-02-19T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-02-19T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-03-23T10:26:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "meta4creations Post Duplicator Plugin notices.php mtphr_post_duplicator_notice cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2016-15027",
        "datePublished": "2023-02-20T17:00:05.423Z",
        "dateReserved": "2023-02-19T08:24:12.937Z",
        "dateUpdated": "2024-08-06T03:47:34.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-33852 (GCVE-0-2021-33852)

    Vulnerability from cvelistv5 – Published: 2022-03-09 16:54 – Updated: 2024-08-04 00:05
    VLAI
    Summary
    A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Duplicate Title" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.
    Severity
    No CVSS data available.
    CWE
    Assigner
    CSW
    References
    Impacted products
    Vendor Product Version
    n/a WordPress Post Duplicator Plugin Affected: Version 2.23
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:05:51.022Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WordPress Post Duplicator Plugin",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Version 2.23"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u0027s browser and can use an application as the vehicle for the attack. The XSS payload given in the \"Duplicate Title\" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-11T17:54:07.000Z",
            "orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
            "shortName": "CSW"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "disclose@cybersecurityworks.com",
              "ID": "CVE-2021-33852",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WordPress Post Duplicator Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Version 2.23"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u0027s browser and can use an application as the vehicle for the attack. The XSS payload given in the \"Duplicate Title\" text box executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html",
                  "refsource": "MISC",
                  "url": "https://cybersecurityworks.com/zerodays/cve-2021-33852-stored-cross-site-scripting-in-wordpress-post-duplicator-plugin-2-23.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
        "assignerShortName": "CSW",
        "cveId": "CVE-2021-33852",
        "datePublished": "2022-03-09T16:54:43.000Z",
        "dateReserved": "2021-06-04T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:05:51.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }