CVE-2025-31466 HIGH

CVE-2025-31466: WordPress Duplicate Page and Post plugin <= 1.0 - SQL Injection Vulnerability

Vendor Falcon Solutions
Product Duplicate Page and Post
Weakness CWE-89 · SQLi
Published March 28, 2025
Last update April 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Falcon Solutions Duplicate Page and Post duplicate-post-and-page allows Blind SQL Injection.This issue affects Duplicate Page and Post: from n/a through <= 1.0.

Explanation of Vulnerability in Simple Terms

02Summary

Duplicate Page and Post versions 1.0 and earlier contain a SQL injection vulnerability accessible to authenticated users. An attacker with low-level site access can craft malicious input to extract or modify database records. The vulnerability affects confidentiality severely and can degrade site availability. Update to a version newer than 1.0 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive database records or modify data by injecting SQL commands through the plugin.

Potential impact on your site

04Site Impact

Unauthorized access to database contents, potential data modification, and site instability for all users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (subscriber or contributor level).

Key dates

06Disclosure timeline

March 28, 2025 CVE published
April 28, 2026 Record updated