CVE-2025-14074

MEDIUM
2025-12-12 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 17:22 vuln.today
CVE Published
Dec 12, 2025 - 10:15 nvd
MEDIUM 4.3

Tags

Authentication Bypass WordPress

Description

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.

Analysis

Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical Context

The vulnerability stems from a missing capability check (CWE-862: Missing Authorization) in the 'rednumber_duplicate' WordPress AJAX function within the PDF for Contact Form 7 plugin backend. WordPress plugins implementing AJAX handlers must verify user capabilities using functions such as 'current_user_can()' before allowing sensitive operations. The 'rednumber_duplicate' function fails to validate whether an authenticated user possesses the required permissions (typically 'edit_posts' or post-type-specific capabilities) before duplicating posts. This allows any authenticated WordPress user-even those with minimal Subscriber-level permissions-to access the duplication endpoint and replicate posts they should not be able to modify. The vulnerability is particularly severe because post duplication can bypass WordPress's built-in access controls for password-protected and private content, exposing metadata and post content to unauthorized users.

Affected Products

The PDF for Contact Form 7 + Drag and Drop Template Builder WordPress plugin in all versions up to and including 6.3.3 is affected (CPE: wordpress:pdf-for-contact-form-7:<=6.3.3). The vulnerable code is documented in the plugin repository at backend/index.php line 697, confirmed in both the 6.3.2 tag and trunk branches. Wordfence threat intelligence confirms the vulnerability across these version ranges. Patched versions beyond 6.3.3 address the flaw via capability check implementation.

Remediation

Update the PDF for Contact Form 7 + Drag and Drop Template Builder plugin to version 6.3.4 or later, which includes proper capability checks in the 'rednumber_duplicate' function. Users should navigate to WordPress Dashboard > Plugins, search for 'PDF for Contact Form 7', and click 'Update Now'. If automatic updates are disabled, download the latest version from the official WordPress plugin repository. Until patching is possible, administrators can reduce risk by restricting Subscriber-level account creation and regularly auditing user permissions. For additional details, consult the Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7 and the plugin repository change log.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-14074 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy