CVE-2025-14476
📋 TL;DR
This vulnerability in the Doubly WordPress plugin allows authenticated attackers with Subscriber-level access to execute arbitrary code through PHP object injection. Attackers can upload malicious ZIP archives containing serialized PHP objects that trigger a POP chain when deserialized. Only WordPress sites with this plugin enabled and administrators who have explicitly granted subscribers import access are affected.
💻 Affected Systems
- Doubly – Cross Domain Copy Paste for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, delete files, steal sensitive data, install backdoors, or pivot to other systems.
Likely Case
Website defacement, data theft, malware installation, or creation of admin accounts for persistent access.
If Mitigated
Limited impact if proper access controls prevent subscriber uploads or if the plugin is disabled.
🎯 Exploit Status
Requires authenticated subscriber access and administrator-enabled import permissions. POP chain availability increases exploit reliability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.47 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/doubly
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Doubly – Cross Domain Copy Paste' and check for updates. 4. If update available, click 'Update Now'. 5. Alternatively, download version 1.0.47+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Subscriber Import Access
allRemove subscriber permissions to use plugin import functionality
Disable Plugin
allTemporarily deactivate the Doubly plugin until patched
🧯 If You Can't Patch
- Remove subscriber role import permissions via WordPress user management
- Implement WAF rules to block ZIP file uploads containing content.txt with serialized data
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Doubly plugin version. If version is 1.0.46 or earlier, you are vulnerable.Check Version:
wp plugin list --name=doubly --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.0.47 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual ZIP file uploads by subscriber accounts
- PHP errors related to unserialize() or object injection
- Unexpected file creation or modification
Network Indicators:
- HTTP POST requests with ZIP files to WordPress upload endpoints
- Unusual outbound connections from web server
SIEM Query:
source="wordpress.log" AND ("doubly" OR "content.txt") AND ("upload" OR "import")🔗 References
- https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040
- https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/importer.class.php#L2536
- https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/functions.class.php#L1040
- https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/importer.class.php#L2536
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve
