Skip to main content

WordPress CVE-2025-14074

MEDIUM
Missing Authorization (CWE-862)
2025-12-12 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 17:22 vuln.today
CVE Published
Dec 12, 2025 - 10:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.

AnalysisAI

Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability stems from a missing capability check (CWE-862: Missing Authorization) in the 'rednumber_duplicate' WordPress AJAX function within the PDF for Contact Form 7 plugin backend. WordPress plugins implementing AJAX handlers must verify user capabilities using functions such as 'current_user_can()' before allowing sensitive operations. The 'rednumber_duplicate' function fails to validate whether an authenticated user possesses the required permissions (typically 'edit_posts' or post-type-specific capabilities) before duplicating posts. This allows any authenticated WordPress user-even those with minimal Subscriber-level permissions-to access the duplication endpoint and replicate posts they should not be able to modify. The vulnerability is particularly severe because post duplication can bypass WordPress's built-in access controls for password-protected and private content, exposing metadata and post content to unauthorized users.

Affected ProductsAI

The PDF for Contact Form 7 + Drag and Drop Template Builder WordPress plugin in all versions up to and including 6.3.3 is affected (CPE: wordpress:pdf-for-contact-form-7:<=6.3.3). The vulnerable code is documented in the plugin repository at backend/index.php line 697, confirmed in both the 6.3.2 tag and trunk branches. Wordfence threat intelligence confirms the vulnerability across these version ranges. Patched versions beyond 6.3.3 address the flaw via capability check implementation.

RemediationAI

Update the PDF for Contact Form 7 + Drag and Drop Template Builder plugin to version 6.3.4 or later, which includes proper capability checks in the 'rednumber_duplicate' function. Users should navigate to WordPress Dashboard > Plugins, search for 'PDF for Contact Form 7', and click 'Update Now'. If automatic updates are disabled, download the latest version from the official WordPress plugin repository. Until patching is possible, administrators can reduce risk by restricting Subscriber-level account creation and regularly auditing user permissions. For additional details, consult the Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7 and the plugin repository change log.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-14074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy