WordPress
CVE-2025-14074
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.
AnalysisAI
Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability stems from a missing capability check (CWE-862: Missing Authorization) in the 'rednumber_duplicate' WordPress AJAX function within the PDF for Contact Form 7 plugin backend. WordPress plugins implementing AJAX handlers must verify user capabilities using functions such as 'current_user_can()' before allowing sensitive operations. The 'rednumber_duplicate' function fails to validate whether an authenticated user possesses the required permissions (typically 'edit_posts' or post-type-specific capabilities) before duplicating posts. This allows any authenticated WordPress user-even those with minimal Subscriber-level permissions-to access the duplication endpoint and replicate posts they should not be able to modify. The vulnerability is particularly severe because post duplication can bypass WordPress's built-in access controls for password-protected and private content, exposing metadata and post content to unauthorized users.
Affected ProductsAI
The PDF for Contact Form 7 + Drag and Drop Template Builder WordPress plugin in all versions up to and including 6.3.3 is affected (CPE: wordpress:pdf-for-contact-form-7:<=6.3.3). The vulnerable code is documented in the plugin repository at backend/index.php line 697, confirmed in both the 6.3.2 tag and trunk branches. Wordfence threat intelligence confirms the vulnerability across these version ranges. Patched versions beyond 6.3.3 address the flaw via capability check implementation.
RemediationAI
Update the PDF for Contact Form 7 + Drag and Drop Template Builder plugin to version 6.3.4 or later, which includes proper capability checks in the 'rednumber_duplicate' function. Users should navigate to WordPress Dashboard > Plugins, search for 'PDF for Contact Form 7', and click 'Update Now'. If automatic updates are disabled, download the latest version from the official WordPress plugin repository. Until patching is possible, administrators can reduce risk by restricting Subscriber-level account creation and regularly auditing user permissions. For additional details, consult the Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7 and the plugin repository change log.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today