WordPress Plugin Vulnerabilities

Doubly < 1.0.47 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import

Description

The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.

Affects Plugins

Plugin icon
doubly
Fixed in 1.0.47

References

CVE
CVE-2025-14476
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Bartłomiej Bergier (bergee)
Verified
No
WPVDB ID
ed3cd631-e56b-4c1a-ac11-93a148fe7288

Timeline

Publicly Published
2025-12-12 (about 6 months ago)
Added
2025-12-12 (about 6 months ago)
Last Updated
2026-01-06 (about 5 months ago)

Other

Published
Title
Published
2024-08-26
Title
JobSearch < 2.5.4 - Unauthenticated PHP Object Injection
Published
2025-01-03
Title
ARPrice < 4.2 - Unauthenticated PHP Object Injection
Published
2026-04-08
Title
Zermatt < 1.7 - Unauthenticated PHP Object Injection
Published
2025-12-25
Title
WpEvently < 5.0.9 - Authenticated (Contributor+) PHP Object Injection
Published
2025-05-20
Title
Crafts & Arts <= 2.5 - Authenticated (Subscriber+) PHP Object Injection