– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14001:
This vulnerability is a missing authorization flaw in the WP Duplicate Page WordPress plugin, affecting versions up to and including 1.8. It allows authenticated users with Contributor-level permissions or higher to duplicate arbitrary posts, pages, and WooCommerce HPOS orders, bypassing the plugin’s configured role restrictions. The CVSS score of 5.4 reflects a medium severity impact.

The root cause is the absence of a capability check in two bulk action handler functions. The `duplicateBulkHandle` function in `/wp-duplicate-page/includes/Classes/ButtonDuplicate.php` (line 53) and the `duplicateBulkHandleHPOS` function (line 78) process bulk duplication requests. Before the patch, these functions immediately executed duplication logic upon matching the action `’wp_duplicate_page_bulk_action’`. They did not verify if the current user had permission to copy posts as defined by the plugin’s `Utils::isCurrentUserAllowedToCopy()` method. This omission allowed users to bypass the plugin’s “Allowed User Roles” setting.

An attacker exploits this by sending a POST request to the WordPress admin bulk actions endpoint. The attacker must be authenticated with at least Contributor privileges. The request targets the post list table in `/wp-admin/edit.php` or the WooCommerce orders page, submitting a bulk action with the name `wp_duplicate_page_bulk_action` and an array of target post or order IDs. No special nonce or additional parameters are required beyond the standard WordPress bulk action parameters, as the missing authorization check is the sole vulnerability.

The patch adds an authorization check at the beginning of both vulnerable functions. In `ButtonDuplicate.php`, lines 56 and 83 now call `if ( ! Utils::isCurrentUserAllowedToCopy() ) { return $redirect; }`. This function validates the user’s role against the plugin’s settings. The patch also updates the plugin version to 1.8.1 in `wp-duplicate-page.php`. Before the patch, any authenticated user triggering the bulk action could duplicate posts. After the patch, the function exits early if the user is not explicitly permitted by the plugin’s configuration, preventing unauthorized duplication.

Successful exploitation leads to unauthorized data duplication. Attackers can duplicate any post, page, or WooCommerce order, potentially exposing sensitive information from drafts or private content. For WooCommerce sites, this could result in duplicate order fulfillment, causing logistical and financial issues. The vulnerability undermines the plugin’s role-based access control, allowing users to perform actions explicitly denied by the site administrator.