Bartłomiej Bergier

**Name of the Vulnerable Software and Affected Versions** Doubly – Cross Domain Copy Paste for WordPress plugin versions up to and including 1.0.46 **Description** The Doubly – Cross Domain Copy Paste for WordPress plugin is susceptible to PHP Object Injection. This occurs through the deserialization of untrusted input from the `content.txt` file within uploaded ZIP archives. Attackers with Subscriber-level access or higher can inject a PHP Object, and the presence of a PHP Object Payload (POP) chain enables arbitrary code execution, file deletion, and sensitive data retrieval. This is only exploitable when administrators have explicitly enabled access for subscribers. **Recommendations** Update Doubly – Cross Domain Copy Paste for WordPress plugin to a version later than 1.0.46.