CVE-2025-14476

High

Published: 13 December 2025

Published

13 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This…

makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the PHP object injection flaw in the WordPress plugin by identifying, patching, or removing the vulnerable component.

SI-10 Information Input Validation good match

prevent

Validates untrusted input from content.txt files in uploaded ZIP archives prior to deserialization to block malicious PHP objects.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict Subscriber-level users from uploading ZIP archives or accessing the vulnerable copy-paste functionality.

Security SummaryAI

CVE-2025-14476 is a PHP Object Injection vulnerability in the Doubly – Cross Domain Copy Paste for WordPress plugin, affecting all versions up to and including 1.0.46. The issue arises from deserialization of untrusted input read from the content.txt file within uploaded ZIP archives, enabling attackers to inject a PHP Object. It is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability, provided administrators have explicitly enabled such access for subscribers. Exploitation involves uploading a malicious ZIP archive, leading to object injection. The presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions based on available gadgets in the plugin. References point to specific code locations in functions.class.php and importer.class.php across plugin tags and trunk.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is a PHP object deserialization (CWE-502) in a public-facing WordPress plugin exploitable by authenticated low-privilege users via malicious ZIP upload, enabling remote code execution which directly maps to T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040
security@wordfence.com
https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/importer.class.php#L2536
security@wordfence.com
https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/functions.class.php#L1040
security@wordfence.com
https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/importer.class.php#L2536
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3426214/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve
security@wordfence.com