CVE-2025-14476
Published: 13 December 2025
Summary
CVE-2025-14476 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the PHP object injection flaw in the WordPress plugin by identifying, patching, or removing the vulnerable component.
Validates untrusted input from content.txt files in uploaded ZIP archives prior to deserialization to block malicious PHP objects.
Enforces least privilege to restrict Subscriber-level users from uploading ZIP archives or accessing the vulnerable copy-paste functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a PHP object deserialization (CWE-502) in a public-facing WordPress plugin exploitable by authenticated low-privilege users via malicious ZIP upload, enabling remote code execution which directly maps to T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).
NVD Description
The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This…
more
makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
Deeper analysisAI
CVE-2025-14476 is a PHP Object Injection vulnerability in the Doubly – Cross Domain Copy Paste for WordPress plugin, affecting all versions up to and including 1.0.46. The issue arises from deserialization of untrusted input read from the content.txt file within uploaded ZIP archives, enabling attackers to inject a PHP Object. It is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability, provided administrators have explicitly enabled such access for subscribers. Exploitation involves uploading a malicious ZIP archive, leading to object injection. The presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions based on available gadgets in the plugin. References point to specific code locations in functions.class.php and importer.class.php across plugin tags and trunk.
Details
- CWE(s)