CVE-2026-39474: WordPress Post Duplicator plugin <= 3.0.10 - PHP Object Injection vulnerability
Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection is a vulnerability in the WordPress Post Duplicator plugin (versions 3.0.10 and earlier) where attacker-controlled data is passed to PHP's unserialize() function without validation. Exploitation is reachable over the network and requires only a low-privilege WordPress account (Contributor role or equivalent). Successful exploitation gives the attacker full read, write, and availability impact on the host, which in practice means arbitrary code execution or complete data compromise depending on the PHP classes available in the application. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as the upstream maintainer publishes a fix.
HarborGuard Coverage
Detection of CVE-2026-39474 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle the Post Duplicator plugin.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it further against each environment's active compliance policy, then routing the alert to the appropriate team inbox within the customer organization.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment metaphorcreations ships a remediated release of Post Duplicator.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account (Contributor role or equivalent) is sufficient; no administrative credentials are needed.
- Victim interactionNot required
No user interaction is needed; the attacker triggers the vulnerability directly without relying on a victim to take any action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads arbitrary files on the host, including WordPress configuration files that contain database credentials and secret keys.
- Writes or overwrites files on the host, enabling injection of malicious PHP into the application or modification of stored content.
- Executes arbitrary code on the server if suitable PHP classes (gadget chains) are present in the application or its dependencies.
- Crashes or degrades the WordPress service by corrupting application state during deserialization.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored through each ingest cycle because no upstream fix has been published yet. For images confirmed to include Post Duplicator 3.0.10 or earlier, HarborGuard surfaces the finding with its CVSS 8.8 HIGH score and routes it according to each environment's compliance policy. While waiting for an upstream patch, customers can apply compensating controls: network-policy rules that restrict which services can reach the WordPress instance, egress filtering to limit outbound connections a compromised container could make, and disabling the Contributor role or the Post Duplicator plugin itself via a feature flag or plugin management policy. The moment metaphorcreations publishes a patched release, HarborGuard will make a rebuilt image available; for customers with auto-remediation enabled, that triggers a regression-test run and a PR opened against affected workloads automatically.
- metaphorcreations / Post Duplicator≤ 3.0.10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H