The vulnerability identified as CVE-2026-2301 affects the Post Duplicator plugin for WordPress, versions up to and including 3.0.8. The root cause is the improper handling of post meta data insertion within the duplicate_post() function located in includes/api.php. Instead of using WordPress's add_post_meta() function, which enforces checks via is_protected_meta() to prevent unauthorized setting of protected meta keys (keys starting with an underscore), the plugin uses a direct database insert via $wpdb->insert() into the wp_postmeta table. This bypasses the built-in authorization checks, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary protected meta keys through the customMetaData JSON array parameter in the REST API endpoint /wp-json/post-duplicator/v1/duplicate-post. Protected meta keys include sensitive fields like _wp_page_template and _wp_attached_file, which control page templates and media attachments respectively. This vulnerability falls under CWE-862 (Missing Authorization) because the plugin fails to properly restrict access to sensitive operations. The CVSS 3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. No public exploits have been reported yet, but the flaw could be leveraged to alter post metadata in ways that may facilitate further attacks or content manipulation.

The primary impact of this vulnerability is the unauthorized modification of protected post metadata by users with Contributor-level access or higher. This can undermine the integrity of post content by allowing attackers to change critical metadata such as page templates or attached files, potentially affecting site presentation or media references. While it does not directly compromise confidentiality or availability, the integrity impact could enable indirect attacks, such as privilege escalation or content spoofing, if combined with other vulnerabilities or misconfigurations. Organizations relying on the Post Duplicator plugin may face risks of unauthorized content manipulation, which could damage trust, disrupt workflows, or lead to further exploitation. Since the vulnerability is exploitable via the REST API, it can be triggered remotely by authenticated users, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should first update the Post Duplicator plugin to a patched version once available that properly uses add_post_meta() and enforces authorization checks. Until a patch is released, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of exploitation. Additionally, disabling or restricting access to the /wp-json/post-duplicator/v1/duplicate-post REST API endpoint via firewall rules or WordPress REST API access controls can reduce exposure. Implementing monitoring and alerting on unusual post meta changes, especially to protected keys, can help detect exploitation attempts. Reviewing and hardening WordPress user roles and capabilities to follow the principle of least privilege is also recommended. Finally, consider employing Web Application Firewalls (WAFs) with custom rules to block suspicious REST API requests targeting this endpoint.