PatchSiren cyber security CVE debrief
CVE-2026-39474 metaphorcreations CVE debrief
CVE-2026-39474 is a HIGH severity vulnerability (CVSS Score: 8.8) affecting Post Duplicator plugin versions <= 3.0.10. The vulnerability allows for Contributor PHP Object Injection. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-39474) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-39474).
- Vendor
- metaphorcreations
- Product
- Post Duplicator
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Post Duplicator plugin versions <= 3.0.10 should update to a patched version to prevent potential exploitation.
Technical summary
The vulnerability is caused by a PHP Object Injection issue in the Post Duplicator plugin. This type of vulnerability occurs when an attacker can inject malicious PHP objects into the application, potentially leading to code execution.
Defensive priority
HIGH
Recommended defensive actions
- Update Post Duplicator plugin to a version greater than 3.0.10.
- Review and monitor your WordPress installation for any suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack (see [ref-4](https://patchstack.com/database/wordpress/plugin/post-duplicator/vulnerability/wordpress-post-duplicator-plugin-3-0-10-php-object-injection-vulnerability?_s_id=cve)).
Official resources
-
CVE-2026-39474 CVE record
CVE.org
-
CVE-2026-39474 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39474 was published on 2026-06-15T21:16:44.100Z and last modified on 2026-06-15T21:24:32.790Z.