CVE-2019-25314

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

Y

oast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.

References

Link	Resource
https://duplicate-post.lopo.it/
https://wordpress.org/plugins/duplicate-post/
https://www.exploit-db.com/exploits/47424
https://www.vulncheck.com/advisories/duplicate-post-persistent-cross-site-scripting
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicate-post/yoast-duplicate-post-323-authenticated-admin-stored-cross-site-scripting

Configurations

No configuration.

History

13 Feb 2026, 17:16

Type	Values Removed	Values Added
References		() https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicate-post/yoast-duplicate-post-323-authenticated-admin-stored-cross-site-scripting -
CWE	~~CWE-79~~
CVSS	v2 : ~~unknown~~ v3 : ~~6.4~~	v2 : unknown v3 : 5.5
Summary	(en) Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.	(en) Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.

11 Feb 2026, 15:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 15:16

Updated : 2026-02-13 17:16

NVD link : CVE-2019-25314

Mitre link : CVE-2019-25314

CVE.ORG link : CVE-2019-25314

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2019-25314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-11T15:16:10.263", "references": [{"url": "https://duplicate-post.lopo.it/", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/duplicate-post/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/47424", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/duplicate-post-persistent-cross-site-scripting", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicate-post/yoast-duplicate-post-323-authenticated-admin-stored-cross-site-scripting", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces."}], "lastModified": "2026-02-13T17:16:09.023", "sourceIdentifier": "[email protected]"}