CVE-2025-31466

CVE-2025-31466 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as Blind SQL Injection (CWE-89), affecting the WordPress plugin Duplicate Page and Post (duplicate-post-and-page) developed by Falcon Solutions. The issue impacts all versions from n/a through 1.0 inclusive. It carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low attack complexity, and low privileges required.

Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without user interaction. By injecting malicious SQL payloads, attackers can perform blind SQL injection techniques to extract sensitive data from the database, achieving high confidentiality impact (C:H). The changed scope (S:C) and low availability impact (A:L) further elevate the risk in WordPress environments.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/duplicate-post-and-page/vulnerability/wordpress-duplicate-page-and-post-1-0-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating to a patched version if available or disabling the plugin.