CVE-2025-14074
Unauthorized Post Duplication in Contact Form 7 Plugin
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | contact_form_7 | * |
| wordpress | drag_and_drop_template_builder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Contact Form 7 + Drag and Drop Template Builder plugin for WordPress, where a missing capability check on the 'rednumber_duplicate' function allows authenticated users with Subscriber-level access or higher to duplicate arbitrary posts, including those that are password protected or private.
How can this vulnerability impact me? :
An attacker with Subscriber-level access or above can exploit this vulnerability to duplicate any post on the WordPress site, including sensitive content such as password protected or private posts, potentially leading to unauthorized content exposure or misuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to duplicate arbitrary posts, including password protected or private ones. This unauthorized duplication of potentially sensitive or private content could lead to data exposure or mishandling, which may negatively impact compliance with data protection regulations such as GDPR or HIPAA that require strict control over access to personal or sensitive information. Therefore, this vulnerability poses a risk to maintaining compliance with such standards by enabling unauthorized access and duplication of protected content. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the 'pdf-for-contact-form-7' plugin installed on your WordPress site. Versions up to and including 6.3.3 are vulnerable. You can detect the plugin version via WordPress admin dashboard or by running commands on the server. For example, use the following command to check the plugin version in the WordPress plugins directory: ```bash grep 'Version:' wp-content/plugins/pdf-for-contact-form-7/readme.txt ``` Alternatively, you can check the plugin version via WP-CLI: ```bash wp plugin get pdf-for-contact-form-7 --field=version ``` If the version is 6.3.3 or lower, the site is vulnerable. There is no specific network command to detect exploitation, but monitoring for unauthorized post duplication actions by users with Subscriber-level access or higher may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the 'pdf-for-contact-form-7' plugin to version 6.3.4 or later, which addresses the security issue by adding the missing capability check. This update includes a major overhaul and security fixes. Until the update is applied, restrict Subscriber-level user permissions if possible to prevent unauthorized post duplication. Additionally, monitor user activity for suspicious duplication of posts, especially password protected or private ones. [1]