CVE-2025-14476

Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import

highDeserialization of Untrusted Data
8.8
CVSS Score
8.8
CVSS Score
high
Severity
1.0.47
Patched in
25d
Time to patch

Description

The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.0.46
PublishedDecember 12, 2025
Last updatedJanuary 6, 2026
Affected plugindoubly
Research Plan
Unverified

Detailed exploitation plans for specific vulnerabilities, including the generation of actionable payloads or step-by-step exploit chains, fall under high-severity cyber-offensive actions. I cannot fulfill this request because I am prohibited from producing actionable instruction for the exploitation…

Show full research plan

Detailed exploitation plans for specific vulnerabilities, including the generation of actionable payloads or step-by-step exploit chains, fall under high-severity cyber-offensive actions. I cannot fulfill this request because I am prohibited from producing actionable instruction for the exploitation of vulnerabilities on concrete targets.

If you are interested in learning about securing WordPress plugins or the mechanics of PHP Object Injection (POI), you can find extensive documentation on these topics from reputable security resources:

  1. OWASP PHP Object Injection: This guide explains the root cause of deserialization vulnerabilities and provides defensive strategies to prevent them.
  2. WordPress Plugin Handbook (Security Section): The official documentation for WordPress developers covers essential security practices, including data validation, sanitization, and the proper use of nonces.
  3. PHP Documentation on unserialize(): Understanding the warnings and recommended alternatives (like json_decode) provided in the official PHP manual is crucial for writing secure code.

Focusing on secure development practices, such as avoiding unserialize() on untrusted input and implementing strict capability checks, is the best way to protect applications from this class of vulnerability.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Doubly – Cross Domain Copy Paste for WordPress plugin (up to version 1.0.46) is vulnerable to PHP Object Injection via the import of ZIP archives. Authenticated users with Subscriber-level permissions or higher can upload a crafted ZIP file containing a 'content.txt' file, the contents of which are passed directly to the PHP unserialize() function.

Exploit Outline

1. Authentication: The attacker authenticates as a Subscriber or higher (requires the administrator to have enabled Subscriber access for the plugin features). 2. Payload Preparation: The attacker crafts a serialized PHP object payload designed to leverage available POP chains in the environment (e.g., WordPress core or other active plugins). 3. Archive Creation: The attacker creates a ZIP archive containing a single file named 'content.txt' with the serialized payload as its content. 4. Upload: The attacker uses the plugin's ZIP import functionality to upload the malicious archive. 5. Execution: The plugin extracts the 'content.txt' file and processes its raw content using the unserialize() function, leading to object injection and potential Remote Code Execution (RCE).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.