PHP
CVE-2025-14476
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Doubly - Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
AnalysisAI
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.
Technical ContextAI
Unsafe deserialization (CWE-502) occurs in functions.class.php and importer.class.php when processing content.txt files within ZIP uploads. Plugin deserializes attacker-controlled data without validation, enabling magic method invocation through POP chain gadgets present in WordPress or loaded libraries. Exploitation depends on available autoloaded classes for chain construction.
Affected ProductsAI
Doubly - Cross Domain Copy Paste for WordPress plugin, vendor Andrei Taraschuk, versions 1.0.0 through 1.0.46. CPE: cpe:2.3:a:doubly_project:doubly:*:*:*:*:*:wordpress:*:* (version range ≤1.0.46).
RemediationAI
Vendor-released patch: upgrade to Doubly plugin version 1.0.47 or later, which addresses unsafe deserialization in content.txt processing as documented in changeset 3426214. Until patching, disable Subscriber-level ZIP upload permissions via plugin settings or deactivate the Doubly plugin entirely if cross-domain copy functionality is non-critical. Administrators should audit user roles with upload capabilities and restrict to Editor-level or above. Review uploaded ZIP archives for malicious content.txt files. Consult vendor advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve and changeset details at https://plugins.trac.wordpress.org/changeset/3426214/ for technical mitigation context. EPSS score indicates low observed exploitation activity (0.11%).
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today