Description
The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
Published: 2025-12-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via PHP Object Injection
Action: Apply Patch
AI Analysis

Impact

The Doubly plugin for WordPress contains a PHP Object Injection flaw that activates when a user with at least Subscriber permissions uploads a ZIP archive containing a malicious content.txt file. The plugin blindly deserializes this file, allowing an attacker who has both authentication and the import capability to inject a crafted PHP object. If a PHP object‑payload chain is present, the attacker can achieve remote code execution, delete files, exfiltrate data, or otherwise manipulate the site. This weakness is identified as CWE‑502 and enables the attacker to compromise the confidentiality, integrity or availability of the WordPress installation, but only while the vulnerable import functionality is enabled for non‑administrator roles.

Affected Systems

All installations of the Doubly – Cross Domain Copy Paste for WordPress plugin up to and including version 1.0.46 are affected. The status of later versions (e.g., 1.0.47) is not explicitly stated in the provided data.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high overall severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The flaw is not currently listed in the CISA KEV catalogue. Exploitation requires authentication with a Subscriber‑level role and the ability to upload ZIP files, which some site administrators enable. Attackers can use the deserialized object to launch arbitrary code, delete or steal files, or manipulate content, all of which are feasible only on sites that have retained the vulnerable plugin and granted import rights to subscribers.

Generated by OpenCVE AI on April 22, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Doubly plugin to the latest available version to eliminate the vulnerable deserialization logic.
  • Restrict the ZIP import privilege to administrator roles only; disable this capability for Subscribers and other non‑admin users.
  • If an immediate upgrade cannot be performed, disable the ZIP import feature or uninstall the Doubly plugin until a secure version is available.

Generated by OpenCVE AI on April 22, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Unitecms
Unitecms doubly
Wordpress
Wordpress wordpress
Vendors & Products Unitecms
Unitecms doubly
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
Title Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Unitecms Doubly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:57.032Z

Reserved: 2025-12-10T18:32:10.966Z

Link: CVE-2025-14476

cve-icon Vulnrichment

Updated: 2025-12-15T15:21:12.999Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:50.640

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses