The WP Duplicate Page plugin for WordPress, developed by ninjateam, suffers from a missing authorization vulnerability identified as CVE-2025-14001 (CWE-862). This vulnerability exists in all plugin versions up to and including 1.8. Specifically, the functions 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' lack proper capability checks, allowing authenticated users with Contributor-level permissions or higher to perform unauthorized duplication of posts, pages, and WooCommerce High-Performance Order Storage (HPOS) orders. The plugin includes an "Allowed User Roles" setting intended to restrict duplication capabilities, but this vulnerability bypasses those restrictions, enabling roles explicitly excluded from duplication to still perform these actions. The impact includes potential exposure of sensitive information contained within duplicated content and the risk of duplicate fulfillment of WooCommerce orders, which could lead to financial loss or operational disruption. The vulnerability requires the attacker to be authenticated with at least Contributor privileges but does not require additional user interaction. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, and limited confidentiality and integrity impacts without availability impact. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those running WooCommerce with HPOS enabled.

This vulnerability can lead to unauthorized duplication of content and orders, potentially exposing sensitive information such as unpublished posts or private pages. For e-commerce sites using WooCommerce HPOS, attackers could duplicate orders, causing duplicate fulfillment, financial loss, inventory mismanagement, and customer confusion. The breach of role-based access controls undermines trust in site security and could facilitate further attacks if duplicated content includes sensitive data or administrative information. Organizations relying on this plugin risk data leakage and operational disruption, particularly those with Contributor-level users who should not have duplication privileges. The vulnerability does not directly affect availability but compromises confidentiality and integrity, which can have cascading effects on business processes and customer trust.

1. Immediately update the WP Duplicate Page plugin to a patched version once released by ninjateam. 2. Until a patch is available, restrict Contributor and higher roles from accessing duplication features by modifying role capabilities or disabling the plugin on critical sites. 3. Implement strict monitoring and logging of duplication actions to detect unauthorized activity. 4. Review and tighten WordPress user role assignments to minimize unnecessary Contributor-level access. 5. For WooCommerce sites, audit order fulfillment processes to detect and prevent duplicate orders. 6. Consider disabling the plugin entirely if duplication functionality is not essential. 7. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious duplication requests targeting the vulnerable functions. 8. Educate site administrators about the risk and encourage prompt response to suspicious activity related to content duplication.