CVE-2025-14001
Authorization Bypass in WP Duplicate Page Plugin Allows Data Modification
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ninjateam | wp_duplicate_page | to 1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Contributor-level access and above to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is excluded from the plugin's allowed user roles. This unauthorized duplication can potentially expose sensitive information and allow duplicate fulfillment of WooCommerce orders. Such exposure and unauthorized data modification could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to and modification of sensitive data. [3]
Can you explain this vulnerability to me?
The vulnerability in the WP Duplicate Page plugin for WordPress allows authenticated users with Contributor-level access or higher to duplicate posts, pages, and WooCommerce HPOS orders without proper authorization. This happens because the plugin's functions 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' lack necessary capability checks, enabling users to bypass the 'Allowed User Roles' restrictions. As a result, unauthorized duplication of content and orders is possible, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. [3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with lower-level access (Contributor and above) to duplicate arbitrary posts, pages, and WooCommerce orders even if their role is excluded from duplication permissions. This can lead to exposure of sensitive information contained in duplicated content and may cause duplicate fulfillment of WooCommerce orders, potentially resulting in financial loss, data integrity issues, and operational disruptions. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check if the WP Duplicate Page plugin is installed and if its version is 1.8 or earlier, as these versions lack proper capability checks. Additionally, monitoring WordPress admin actions for unauthorized bulk duplication attempts on posts, pages, or WooCommerce HPOS orders could indicate exploitation. Since the vulnerability involves missing permission checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions, you might look for unusual duplication activity by users with Contributor-level access or above. Specific commands are not provided in the resources, but you can audit plugin versions via WP-CLI with commands like `wp plugin list` to identify vulnerable versions. Also, reviewing WordPress logs or enabling audit logging plugins to track duplication actions could help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Duplicate Page plugin to version 1.8.1 or later, where the vulnerability is fixed by adding proper permission checks in the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions. This update prevents unauthorized users from duplicating content. If updating is not immediately possible, restrict Contributor-level and above users' access to duplication features or disable the plugin temporarily to prevent exploitation. Additionally, review and adjust the 'Allowed User Roles' settings in the plugin to ensure only trusted roles have duplication permissions. [3]