CVE-2025-14001
📋 TL;DR
The WP Duplicate Page WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Contributor-level access or higher to duplicate posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's allowed roles setting. This can lead to unauthorized data duplication, exposure of sensitive information, and potential duplicate order fulfillment in WooCommerce stores.
💻 Affected Systems
- WP Duplicate Page WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could duplicate sensitive posts/pages containing confidential information, create duplicate WooCommerce orders leading to financial losses from duplicate shipments, and potentially disrupt business operations through content duplication.
Likely Case
Unauthorized users duplicate content they shouldn't have access to, potentially exposing draft content, internal documentation, or customer order information. WooCommerce stores could experience duplicate order fulfillment issues.
If Mitigated
With proper role-based access controls and monitoring, impact is limited to minor content duplication that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3432233/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Duplicate Page' and click 'Update Now'. 4. Alternatively, download version 1.9+ from WordPress plugin repository and replace the plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the WP Duplicate Page plugin until patched
wp plugin deactivate wp-duplicate-page
Restrict User Roles
allRemove Contributor and higher access from untrusted users
wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity for unauthorized content duplication
- Disable WooCommerce HPOS feature if using WooCommerce to prevent order duplication
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.8 or lower, you are vulnerable.Check Version:
wp plugin get wp-duplicate-page --field=versionVerify Fix Applied:
Verify plugin version is 1.9 or higher. Test that users with excluded roles cannot duplicate content.📡 Detection & Monitoring
Log Indicators:
- Multiple post/page duplication events from non-admin users
- Unusual bulk operations in WordPress activity logs
- WooCommerce order duplication events
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=duplicateBulkHandle or duplicateBulkHandleHPOS
SIEM Query:
source="wordpress" AND (action="duplicateBulkHandle" OR action="duplicateBulkHandleHPOS") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54
- https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79
- https://plugins.trac.wordpress.org/changeset/3432233/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve
