CVE-2019-25314 MEDIUM

CVE-2019-25314: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting

Vendor Yoast
Product Duplicate-Post
Published February 11, 2026
Last update May 14, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.

Explanation of Vulnerability in Simple Terms

02Summary

Duplicate Post versions 0.3 through 3.2.3 contain a vulnerability affecting authenticated administrators. An admin user who is tricked into visiting a malicious page can trigger unintended actions within the plugin. The vulnerability requires both high-level privileges and user interaction to exploit. Update to version 3.2.4 or later to resolve this issue.

What an attacker can do

03Attacker Capabilities

Trick an admin into visiting a malicious page to perform unintended actions in the plugin.

Potential impact on your site

04Site Impact

An admin could unknowingly perform unintended actions if socially engineered to visit a malicious link.

Conditions required to exploit

05Prerequisites

Admin-level access to WordPress and user interaction (victim must visit attacker's page).

Key dates

06Disclosure timeline

February 11, 2026 CVE published
May 14, 2026 Record updated