CVE-2025-14074
Unknown Unknown - Not Provided
Unauthorized Post Duplication in Contact Form 7 Plugin

Publication date: 2025-12-12

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14074
EUVD
EUVD-2025-203072
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress contact_form_7 *
wordpress drag_and_drop_template_builder *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Contact Form 7 + Drag and Drop Template Builder plugin for WordPress, where a missing capability check on the 'rednumber_duplicate' function allows authenticated users with Subscriber-level access or higher to duplicate arbitrary posts, including those that are password protected or private.

Impact Analysis

An attacker with Subscriber-level access or above can exploit this vulnerability to duplicate any post on the WordPress site, including sensitive content such as password protected or private posts, potentially leading to unauthorized content exposure or misuse.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to duplicate arbitrary posts, including password protected or private ones. This unauthorized duplication of potentially sensitive or private content could lead to data exposure or mishandling, which may negatively impact compliance with data protection regulations such as GDPR or HIPAA that require strict control over access to personal or sensitive information. Therefore, this vulnerability poses a risk to maintaining compliance with such standards by enabling unauthorized access and duplication of protected content. [1]

Detection Guidance

This vulnerability can be detected by checking the version of the 'pdf-for-contact-form-7' plugin installed on your WordPress site. Versions up to and including 6.3.3 are vulnerable. You can detect the plugin version via WordPress admin dashboard or by running commands on the server. For example, use the following command to check the plugin version in the WordPress plugins directory: ```bash grep 'Version:' wp-content/plugins/pdf-for-contact-form-7/readme.txt ``` Alternatively, you can check the plugin version via WP-CLI: ```bash wp plugin get pdf-for-contact-form-7 --field=version ``` If the version is 6.3.3 or lower, the site is vulnerable. There is no specific network command to detect exploitation, but monitoring for unauthorized post duplication actions by users with Subscriber-level access or higher may help identify exploitation attempts. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the 'pdf-for-contact-form-7' plugin to version 6.3.4 or later, which addresses the security issue by adding the missing capability check. This update includes a major overhaul and security fixes. Until the update is applied, restrict Subscriber-level user permissions if possible to prevent unauthorized post duplication. Additionally, monitor user activity for suspicious duplication of posts, especially password protected or private ones. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart