WordPress Security Bulletin: WP Duplicate Page plugin (CVE-2025-14001)

On this page

Security Alert Summary

The WP Duplicate Page plugin for WordPress contains missing capability checks in two functions, allowing authenticated users with Contributor-level access and above to duplicate posts, pages, and WooCommerce High-Performance Order Storage (HPOS) orders regardless of the plugin’s “Allowed User Roles” setting. This can expose sensitive content and enable unintended duplicate order fulfillment.

CVE Details

  • CVE ID: CVE-2025-14001
  • Affected component: WP Duplicate Page plugin for WordPress
  • Affected versions: All versions up to, and including, 1.8
  • Published: January 13, 2026 at 12:15 PM UTC
  • Last modified: January 13, 2026 at 2:03 PM UTC
  • CVSS v3.1: Base Score 5.4 — MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Authentication & privileges: Requires authentication; privileges required: LOW (authenticated users such as Contributors and above).
  • User interaction: None (UI:N).
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE.
  • CWE / weakness: CWE-862 (Missing Authorization)
  • Fixed version: Not specified in the CVE entry.

Technical Details

The vulnerability is caused by missing capability checks in the plugin’s handling of bulk duplication operations. Specifically, the functions duplicateBulkHandle and duplicateBulkHandleHPOS do not enforce the plugin’s “Allowed User Roles” restriction, allowing an authenticated user with low privileges (for example, a Contributor) to trigger duplication actions they should not be able to perform.

Because these functions lack the necessary authorization checks, an attacker with an affected role can duplicate arbitrary posts, pages, and WooCommerce HPOS orders. The issue exists in all versions up to and including 1.8 according to the CVE description.

The impact is limited to unauthorized duplication (integrity) and exposure of content (confidentiality) as described; the CVE does not indicate availability or broader privilege escalation beyond duplication of content and orders.

How This Could Impact Your Website

Consider a small e-commerce site with multiple user roles: the site owner, an internal content editor, and external contributors or contractors. A contributor who should only be able to submit draft posts could, because of this issue, duplicate published posts or pages and copy WooCommerce HPOS orders. That can lead to disclosure of content that was intended to be restricted, or to duplicate order records that might result in confusion or duplicate fulfillment if not noticed by staff.

Practical consequences include exposure of internal content or user data (for example, email addresses contained in duplicated content), increased risk of targeted phishing or social engineering using exposed details, and operational overhead to identify and remove duplicate orders or content. The impacts align with the CVSS ratings of low confidentiality and integrity impacts rather than total site compromise.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributors and other roles that can be used to perform bulk actions.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual duplication actions or unexpected order creations.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References