PT-2025-51078 · WordPress · Doubly – Cross Domain Copy Paste For Wordpress
Bartłomiej Bergier
·
Published
2025-12-13
·
Updated
2025-12-18
·
CVE-2025-14476
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Doubly – Cross Domain Copy Paste for WordPress plugin versions up to and including 1.0.46
Description
The Doubly – Cross Domain Copy Paste for WordPress plugin is susceptible to PHP Object Injection. This occurs through the deserialization of untrusted input from the
content.txt file within uploaded ZIP archives. Attackers with Subscriber-level access or higher can inject a PHP Object, and the presence of a PHP Object Payload (POP) chain enables arbitrary code execution, file deletion, and sensitive data retrieval. This is only exploitable when administrators have explicitly enabled access for subscribers.Recommendations
Update Doubly – Cross Domain Copy Paste for WordPress plugin to a version later than 1.0.46.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Doubly – Cross Domain Copy Paste For Wordpress