Escape properly the metadata to be copied.

Fixes a SQL injection because the meta key can contain arbitrary values.

includes/admin/class-wc-admin-duplicate-product.php

@@ -247,9 +247,7 @@ class WC_Admin_Duplicate_Product {
 			$sql_query = "INSERT INTO $wpdb->postmeta (post_id, meta_key, meta_value) ";
 
 			foreach ( $post_meta_infos as $meta_info ) {
-				$meta_key = $meta_info->meta_key;
-				$meta_value = addslashes( $meta_info->meta_value );
-				$sql_query_sel[]= "SELECT $new_id, '$meta_key', '$meta_value'";
+				$sql_query_sel[]= $wpdb->prepare( "SELECT %d, %s, %s", $new_id, $meta_info->meta_key, $meta_info->meta_value );
 			}
 
 			$sql_query.= implode( " UNION ALL ", $sql_query_sel );