How is CVE-2026-49046 exploited?

Network reachability (required): The plugin is exposed over the network, so an attacker must be able to reach the WordPress HTTP endpoint to deliver the malicious SQL payload. Authentication (required): The attacker must hold at least one low-privilege WordPress account; unauthenticated access alone is not sufficient to trigger the injection point. Victim interaction (not-required): No victim interaction is needed; the attacker sends crafted requests directly to the vulnerable endpoint without requiring any user to click or navigate anywhere. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or specific memory layout.

What is the impact of CVE-2026-49046?

Attacker extracts data from the WordPress database through blind SQL injection, including stored user credentials, session tokens, and any customer or content records held in the database. Confidentiality impact is high, covering all data readable by the database account the WordPress application uses. Availability impact is low, meaning the attacker can cause limited, intermittent disruption to the affected service, such as slowing or erroring database queries, without a full denial of service. Database integrity is not directly affected by this vulnerability based on the reported CVSS vector.

Back to search

HIGHCVE-2026-49046Published 2026-05-27Modified 2026-05-28CNA Patchstack

CVE-2026-49046: WordPress Duplicate Page and Post plugin <= 2.9.5 - SQL Injection vulnerability

Q: What is CVE-2026-49046?

SQL injection vulnerability in the Duplicate Page and Post WordPress plugin (versions up to and including 2.9.5) allows a network-adjacent attacker with a low-privilege account to perform blind SQL injection against the underlying database. The flaw stems from insufficient sanitization of SQL command input, and exploiting it gives an attacker read access to sensitive database contents as well as limited ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

Q: Is CVE-2026-49046 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5.

HarborGuard Analysis

HarborGuard analysis

Synopsis

SQL injection vulnerability in the Duplicate Page and Post WordPress plugin (versions up to and including 2.9.5) allows a network-adjacent attacker with a low-privilege account to perform blind SQL injection against the underlying database. The flaw stems from insufficient sanitization of SQL command input, and exploiting it gives an attacker read access to sensitive database contents as well as limited ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle this plugin. Any image running Duplicate Page and Post at version 2.9.5 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 (HIGH) and applies per-environment compliance policy weighting to determine priority, escalating it appropriately given the network-reachable, unauthenticated-to-low-privilege attack surface. Triage routing is available to direct the finding to the right team inbox within each customer organization.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin is exposed over the network, so an attacker must be able to reach the WordPress HTTP endpoint to deliver the malicious SQL payload.
AuthenticationRequired
The attacker must hold at least one low-privilege WordPress account; unauthenticated access alone is not sufficient to trigger the injection point.
Victim interactionNot required
No victim interaction is needed; the attacker sends crafted requests directly to the vulnerable endpoint without requiring any user to click or navigate anywhere.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or specific memory layout.

Blast Radius

Attacker extracts data from the WordPress database through blind SQL injection, including stored user credentials, session tokens, and any customer or content records held in the database.
Confidentiality impact is high, covering all data readable by the database account the WordPress application uses.
Availability impact is low, meaning the attacker can cause limited, intermittent disruption to the affected service, such as slowing or erroring database queries, without a full denial of service.
Database integrity is not directly affected by this vulnerability based on the reported CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth applying include network-policy isolation to restrict which roles or IP ranges can reach the WordPress admin surface, egress filtering to limit outbound database-query exfiltration paths, and review of whether the Duplicate Page and Post plugin can be disabled or feature-flag gated until a patch is available. HarborGuard will notify affected environments as soon as the upstream maintainer publishes a fix.

See how HarborGuard automates this

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Arjun Thakur / Duplicate Page and Post
≤ 2.9.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com