Duplicate Page and Post Security & Risk Analysis

wordpress.org/plugins/duplicate-wp-page-post

Duplicate post, Duplicate page and Duplicate custom post or clone page and clone post.

80K active installs v2.9.5 PHP 5.2.4+ WP 3.5+ Updated Sep 23, 2024
clone-pageclone-postduplicate-custom-postsduplicate-pageduplicate-post
39
D · High Risk
CVEs total5
Unpatched2
Last CVEMay 27, 2026
Safety Verdict

Is Duplicate Page and Post Safe to Use in 2026?

High Risk

Score 39/100

Duplicate Page and Post carries significant security risk with 5 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

5 known CVEs 2 unpatched Last CVE: May 27, 2026Updated 1yr ago
Risk Assessment

The "duplicate-wp-page-post" plugin v2.9.5 presents a mixed security posture. The static analysis reveals a commendably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and all entry points are protected by authentication checks. The code also demonstrates good practices by utilizing prepared statements for all SQL queries, employing nonce checks, and performing capability checks. However, the vulnerability history is a significant concern, with 4 known CVEs, including one currently unpatched high-severity vulnerability and several past medium-severity SQL injection and XSS issues. This history suggests a pattern of security flaws that require diligent patching, and the presence of an unpatched high-severity vulnerability poses an immediate risk.

Key Concerns

  • Unpatched high severity CVE
  • Multiple past CVEs including SQLi and XSS
  • Some output escaping issues
Vulnerabilities
5 published

Duplicate Page and Post Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
2 CVEs in 2022
2022
1 CVE in 2025 · unpatched
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2026-49046medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection

May 27, 2026Unpatched
CVE-2025-6189medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection via meta_key Parameter

Sep 9, 2025Unpatched
CVE-2022-2152medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicate Page and Post <= 2.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 20, 2022 Patched in 2.8 (552d)
WF-e8ac3187-b065-434e-9051-d13330dd3da5-duplicate-wp-page-postmedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Duplicate Page and Post <= 2.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 20, 2022 Patched in 2.8 (552d)
WF-76044985-477c-4d62-aec3-1905add0a9e2-duplicate-wp-page-posthigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Duplicate Page Plugins <= (Various Versions) - SQL Injection

Apr 25, 2020 Patched in 2.5.7 (1368d)
Code Analysis
Analyzed Mar 16, 2026

Duplicate Page and Post Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
3
23 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

88% escaped26 total outputs
Attack Surface

Duplicate Page and Post Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 8
actionadmin_menuduplicate-wp-page-post.php:27
filterplugin_action_linksduplicate-wp-page-post.php:28
actionadmin_action_dt_dpp_post_as_draftduplicate-wp-page-post.php:29
filterpost_row_actionsduplicate-wp-page-post.php:30
filterpage_row_actionsduplicate-wp-page-post.php:31
actionadmin_headduplicate-wp-page-post.php:33
actionpost_submitbox_misc_actionsduplicate-wp-page-post.php:35
actionwp_before_admin_bar_renderduplicate-wp-page-post.php:37
Maintenance & Trust

Duplicate Page and Post Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedSep 23, 2024
PHP min version5.2.4
Downloads1.1M

Community Trust

Rating92/100
Number of ratings29
Active installs80K
Developer Profile

Duplicate Page and Post Developer Profile

Arjun Thakur

3 plugins · 121K total installs

59
trust score
Avg Security Score
72/100
Avg Patch Time
824 days
View full developer profile
Detection Fingerprints

How We Detect Duplicate Page and Post

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/duplicate-wp-page-post/duplicate-wp-page-post.php
Version Parameters
duplicate-wp-page-post/style.css?ver=duplicate-wp-page-post/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
dpp-duplicate-buttonduplicate-post-pageduplicate-page-post-settings
HTML Comments
<!-- IMPORTANT: This file is part of the Duplicate Page and Post plugin. --><!-- Please do not edit this file directly. -->
Data Attributes
data-post-iddata-nonce
JS Globals
dpp_ajax_object
FAQ

Frequently Asked Questions about Duplicate Page and Post