CVE-2025-14476

HIGH
2025-12-13 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Dec 13, 2025 - 16:16 nvd
HIGH 8.8

Tags

PHP Information Disclosure WordPress RCE Deserialization

Description

The Doubly - Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.

Analysis

PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

Technical Context

Unsafe deserialization (CWE-502) occurs in functions.class.php and importer.class.php when processing content.txt files within ZIP uploads. Plugin deserializes attacker-controlled data without validation, enabling magic method invocation through POP chain gadgets present in WordPress or loaded libraries. Exploitation depends on available autoloaded classes for chain construction.

Affected Products

Doubly - Cross Domain Copy Paste for WordPress plugin, vendor Andrei Taraschuk, versions 1.0.0 through 1.0.46. CPE: cpe:2.3:a:doubly_project:doubly:*:*:*:*:*:wordpress:*:* (version range ≤1.0.46).

Remediation

Vendor-released patch: upgrade to Doubly plugin version 1.0.47 or later, which addresses unsafe deserialization in content.txt processing as documented in changeset 3426214. Until patching, disable Subscriber-level ZIP upload permissions via plugin settings or deactivate the Doubly plugin entirely if cross-domain copy functionality is non-critical. Administrators should audit user roles with upload capabilities and restrict to Editor-level or above. Review uploaded ZIP archives for malicious content.txt files. Consult vendor advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve and changeset details at https://plugins.trac.wordpress.org/changeset/3426214/ for technical mitigation context. EPSS score indicates low observed exploitation activity (0.11%).

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-14476 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy