CVE-2025-14476
PHP Object Injection in WordPress Doubly Plugin Enables Code Execution
Publication date: 2025-12-13
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Doubly β Cross Domain Copy Paste for WordPress plugin up to version 1.0.46. It is a PHP Object Injection flaw caused by deserialization of untrusted input from the content.txt file inside uploaded ZIP archives. Authenticated users with Subscriber-level access or higher can exploit this to inject malicious PHP objects. If administrators have enabled subscriber access, attackers can use a POP chain to execute arbitrary code, delete files, or retrieve sensitive data.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute arbitrary code on the server, delete files, retrieve sensitive data, or perform other malicious actions depending on the available PHP gadgets. This can lead to full compromise of the affected WordPress site and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access to execute arbitrary code, delete files, and retrieve sensitive data. This unauthorized access and potential data exposure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Therefore, exploitation of this vulnerability may result in violations of these standards due to compromised confidentiality, integrity, and availability of data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Doubly β Cross Domain Copy Paste for WordPress plugin to a version later than 1.0.46 where the vulnerability is fixed. Additionally, restrict Subscriber-level access from performing imports if administrators have enabled that access, as exploitation requires Subscriber-level or higher privileges and enabled import access. Monitoring and disabling the import of ZIP archives containing content.txt files from untrusted sources can also reduce risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves PHP Object Injection via deserialization of untrusted input from the content.txt file within uploaded ZIP archives in the Doubly β Cross Domain Copy Paste for WordPress plugin. Detection can focus on monitoring uploads of ZIP archives containing a content.txt file and checking for suspicious deserialization activity or unexpected PHP object payloads. Since exploitation requires authenticated Subscriber-level access and above, monitoring user actions for unusual upload behavior is also important. Specific commands are not provided in the resources, but general detection steps could include: 1. Searching for ZIP uploads containing content.txt files in the WordPress uploads directory. 2. Monitoring logs for authenticated Subscriber-level users uploading ZIP files. 3. Using WordPress or server logs to detect deserialization errors or suspicious PHP object instantiations related to the plugin. 4. Employing WordPress security plugins or scanners that detect unsafe deserialization or known vulnerable plugin versions. However, no explicit commands or detection scripts are provided in the available resources. [1, 2, 3]