A critical SQL injection/ PHP Object Injection  vulnerability in Duplicate-Page’s WordPress Plugin can allow attackers to steal sensitive user information.

The vulnerability was given a DREAD score of 8.4 for being exploitable by any user with an account on the vulnerable site regardless of privileges and is easy to exploit, Sucuri researchers said in an April 5 blog post.

The vulnerability in the plugin that makes it easy for users to duplicate pages on a site was discovered on March 22 and was patched in the 3.4 release released on April 1.

“Successful exploitation of this bug may allow attackers to steal sensitive user information like password hashes and in certain scenarios, lead to a complete compromise of your WordPress installation,” researchers said in the post. “Depending on what other plugins are active on the site, bad actors may escalate this bug into a PHP Object Injection vulnerability.”

Users of the vulnerable version are advised to update the plugin as soon as possible.