Does Post Duplicator have any unpatched vulnerabilities?

No. All known vulnerabilities in Post Duplicator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Post Duplicator compatible with WordPress 6.9.4?

According to WordPress.org data, Post Duplicator 3.0.11 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Post Duplicator compatible with PHP 7.4+?

Post Duplicator requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Post Duplicator updated?

Post Duplicator was last updated on Mar 7, 2026. Frequent updates are generally a positive security signal.

What is Post Duplicator's security score?

Post Duplicator has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Post Duplicator Security & Risk Analysis

wordpress.org/plugins/post-duplicator

Creates functionality to duplicate any and all post types, including taxonomies & custom fields. Perfect for developers and content creators.

200K active installs v3.0.11 PHP 7.4+ WP 6.6+ Updated Mar 7, 2026

duplicateduplicationpostposts

A · Safe

CVEs total6

Unpatched0

Last CVEFeb 24, 2026

Plugin page Download

Safety Verdict

Is Post Duplicator Safe to Use in 2026?

Generally Safe

Score 95/100

Post Duplicator has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Feb 24, 2026Updated 28d ago

Risk Assessment

The post-duplicator plugin v3.0.11 exhibits a mixed security posture. While it demonstrates good practices in output escaping and limits file operations and external HTTP requests, significant concerns arise from its attack surface and vulnerability history. A substantial portion of its entry points, specifically all 6 identified AJAX handlers and REST API routes, lack proper authentication and authorization checks. This creates a wide opening for attackers to potentially interact with sensitive plugin functionalities without the necessary permissions.

The code analysis reveals the presence of the `unserialize` function, which, when combined with unsanitized input, can lead to Remote Code Execution vulnerabilities. Although the taint analysis did not identify any critical or high-severity unsanitized flows in this specific scan, the potential for such issues remains due to the `unserialize` function and the unprotected entry points. The plugin's history of 6 medium-severity vulnerabilities, including Missing Authorization and Cross-Site Scripting, further highlights a pattern of authorization and input sanitization weaknesses.

Despite the absence of currently unpatched CVEs and a strong record in output escaping, the high number of unprotected entry points and the historical vulnerability types suggest a need for significant improvement in authorization checks. The plugin's core functionality is likely exposed to unauthorized access, which, coupled with the potential risks of `unserialize`, warrants caution. Users should be aware that while the plugin may appear robust in some areas, its fundamental security controls for access are deficient.

Key Concerns

Unprotected AJAX handlers
Unprotected REST API routes
Dangerous function: unserialize
Vulnerability history: 6 medium CVEs
Missing permission callbacks on REST API
SQL queries without prepared statements

Vulnerabilities

Post Duplicator Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2021

2021

1 CVE in 2023

2023

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

6 total CVEs

CVE-2026-2301medium · 4.3Missing Authorization

Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter

Feb 24, 2026 Patched in 3.0.9 (1d)

CVE-2025-24736medium · 4.3Missing Authorization

Post Duplicator <= 2.35 - Missing Authorization

Jan 24, 2025 Patched in 2.36 (5d)

CVE-2024-12472medium · 4.3Authorization Bypass Through User-Controlled Key

Post Duplicator <= 2.36 - Authenticated (Contributor+) Protected Post Disclosure

Jan 10, 2025 Patched in 2.37 (12d)

CVE-2023-49835medium · 4.3Missing Authorization

Post Duplicator <= 2.31 - Missing Authorization via mtphr_duplicate_post

Dec 5, 2023 Patched in 2.32 (49d)

CVE-2021-33852medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Duplicator <= 2.23 - Cross-Site Scripting

Dec 2, 2021 Patched in 2.24 (782d)

CVE-2016-15027medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Duplicator <= 2.16 - Reflected Cross-Site Scripting

Apr 6, 2016 Patched in 2.17 (3048d)

Code Analysis

Analyzed Mar 16, 2026

Post Duplicator Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

79 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$unserialized = @unserialize( $trimmed_value, array( 'allowed_classes' => false ) );includes\api.php:178

SQL Query Safety

67% prepared3 total queries

Output Escaping

96% escaped82 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

notice (includes\notices.php:14)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Post Duplicator Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 1

authwp_ajax_mtphr_post_duplicator_dismiss_noticeincludes\notices.php:7

REST API Routes 5

POST/wp-json/post-duplicator/v1duplicate-postincludes\api.php:10

GET/wp-json/post-duplicator/v1post-data/(?P<id>\d+)includes\api.php:16

GET/wp-json/post-duplicator/v1post-full-data/(?P<id>\d+)includes\api.php:29

GET/wp-json/post-duplicator/v1parent-postsincludes\api.php:42

GET/wp-json/post-duplicator/v1usersincludes\api.php:63

WordPress Hooks 39

actionrest_api_initincludes\api.php:4

filterwp_kses_allowed_htmlincludes\api.php:735

filterpost_row_actionsincludes\edit.php:4

filterpage_row_actionsincludes\edit.php:5

filtercuar/core/admin/content-list-table/row-actionsincludes\edit.php:6

actionadmin_initincludes\edit.php:9

actionadmin_footerincludes\edit.php:10

filtermtphr_post_duplicator_meta__wc_review_count_enabledincludes\hooks.php:7

actionpost_submitbox_misc_actionsincludes\hooks.php:9

actionmtphr_post_duplicator_createdincludes\hooks.php:10

actionwpmu_new_blogincludes\install.php:78

filteret_builder_should_load_frameworkincludes\integrations\divi.php:15

filtermtphr_post_duplicator_excluded_post_typesincludes\integrations\divi.php:16

filtermtphr_post_duplicator_should_enqueue_list_scriptsincludes\integrations\divi.php:17

filtermtphr_post_duplicator_modeincludes\integrations\divi.php:18

filtermtphr_post_duplicator_list_single_after_duplication_actionincludes\integrations\divi.php:19

filtermtphr_post_duplicator_list_multiple_after_duplication_actionincludes\integrations\divi.php:20

filtermtphr_post_duplicator_general_noticesincludes\integrations\divi.php:21

actionmtphr_post_duplicator_createdincludes\integrations\simple-custom-post-order.php:24

actionmtphr_post_duplicator_createdincludes\integrations\the-events-calendar.php:4

filtermtphr_post_duplicator_should_enqueue_list_scriptsincludes\integrations\wp-nested-pages.php:20

actionadmin_menuincludes\mtphr-settings\index.php:50

actionadmin_enqueue_scriptsincludes\mtphr-settings\index.php:51

actionrest_api_initincludes\mtphr-settings\index.php:52

actionadmin_noticesincludes\mtphr-settings\index.php:53

actionrest_api_initincludes\mtphr-settings\index.php:56

actioninitincludes\mtphr-settings\index.php:57

actioninitincludes\mtphr-settings\index.php:58

actionadmin_noticesincludes\notices.php:4

actionadmin_initincludes\notices.php:5

actionadmin_noticesincludes\notices.php:6

actionadmin_enqueue_scriptsincludes\notices.php:8

actionadmin_enqueue_scriptsincludes\scripts.php:4

actionMtphrPostDuplicatorSettings/init_settingsincludes\settings.php:14

actionMtphrPostDuplicatorSettings/init_settingsincludes\settings.php:15

actionMtphrPostDuplicatorSettings/init_fieldsincludes\settings.php:16

actionadmin_initincludes\upgrades.php:5

actioninitm4c-postduplicator.php:62

actionplugins_loadedm4c-postduplicator.php:94

Maintenance & Trust

Post Duplicator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 7, 2026

PHP min version7.4

Downloads4.5M

Community Trust

Rating96/100

Number of ratings80

Active installs200K

Alternatives

Post Duplicator Alternatives

Duplicate Page

duplicate-page

Duplicate Posts, Pages and Custom Posts easily using single click

3.0M 3 CVEs

Duplicate Post

copy-delete-posts

Duplicate post

300K 2 CVEs

Duplicate Page and Post

duplicate-wp-page-post

Duplicate post, Duplicate page and Duplicate custom post or clone page and clone post.

80K 1 unpatched

Delete Duplicate Posts

delete-duplicate-posts

Get rid of duplicate posts and pages (any post type) on your blog with manual or automatic modes.

20K 2 CVEs

Clone Posts

clone-posts

100

Easily clone (duplicate) Posts, Pages and Custom Post Types, including their custom fields (post_meta)

10K No CVEs

Developer Profile

Post Duplicator Developer Profile

metaphorcreations

2 plugins · 230K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

270 days

View full developer profile

Detection Fingerprints

How We Detect Post Duplicator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/post-duplicator/assets/css/admin-styles.css/wp-content/plugins/post-duplicator/assets/css/post-duplicator-backend.css/wp-content/plugins/post-duplicator/assets/js/post-duplicator-backend.js/wp-content/plugins/post-duplicator/assets/js/post-duplicator-frontend.js/wp-content/plugins/post-duplicator/assets/js/tinymce-button.js/wp-content/plugins/post-duplicator/includes/mtphr-settings/assets/css/mtphr-settings.css/wp-content/plugins/post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings.js/wp-content/plugins/post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings-pro.js

Script Paths

/wp-content/plugins/post-duplicator/assets/js/post-duplicator-backend.js/wp-content/plugins/post-duplicator/assets/js/post-duplicator-frontend.js/wp-content/plugins/post-duplicator/assets/js/tinymce-button.js/wp-content/plugins/post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings.js/wp-content/plugins/post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings-pro.js

Version Parameters

post-duplicator/assets/css/admin-styles.css?ver=post-duplicator/assets/css/post-duplicator-backend.css?ver=post-duplicator/assets/js/post-duplicator-backend.js?ver=post-duplicator/assets/js/post-duplicator-frontend.js?ver=post-duplicator/assets/js/tinymce-button.js?ver=post-duplicator/includes/mtphr-settings/assets/css/mtphr-settings.css?ver=post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings.js?ver=post-duplicator/includes/mtphr-settings/assets/js/mtphr-settings-pro.js?ver=

HTML / DOM Fingerprints

CSS Classes

mtphr-settings-wrapmtphr-settings-contentmtphr-settings-fieldmtphr-settings-field-inputmtphr-settings-field-labelmtphr-settings-field-descriptionmtphr-post-duplicator-admin-wrappd-duplicate-post-row+1 more

HTML Comments

Data Attributes

data-plugin-iddata-mtphr-settings-iddata-mtphr-settings-field-iddata-mtphr-settings-field-type

JS Globals

mtphrSettingsmtphrPostDuplicatorAdmin

REST Endpoints

/wp-json/mtphr/post-duplicator/v1/settings/wp-json/mtphr/post-duplicator/v1/duplicate

FAQ