CVE-2025-14476 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Doubly – Cross Domain Copy Paste plugin for WordPress by unitecms, in all versions up to and including 1.0.46. The vulnerability stems from the plugin's unsafe deserialization of data contained in content.txt files within user-uploaded ZIP archives. An authenticated attacker with Subscriber-level privileges or higher can upload a crafted ZIP archive containing malicious serialized PHP objects. When the plugin processes this archive, it deserializes the untrusted content.txt file, triggering PHP Object Injection. This injection leverages a Property Oriented Programming (POP) chain of existing code gadgets to achieve arbitrary code execution on the server. The attacker can execute commands, delete files, or exfiltrate sensitive data depending on the available gadgets in the environment. Exploitation requires that administrators have explicitly enabled subscriber-level upload permissions, which is not enabled by default but may be in some configurations. The vulnerability has a CVSS v3.1 score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed beyond authentication. No public exploit code or active exploitation has been reported yet, but the potential for severe damage is significant given the nature of PHP Object Injection and the widespread use of WordPress and this plugin. The vulnerability was published on December 13, 2025, and no official patches were available at the time of reporting, necessitating immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a substantial risk to the security of WordPress-based websites and web applications that use the Doubly – Cross Domain Copy Paste plugin. Successful exploitation can lead to full server compromise, allowing attackers to execute arbitrary code, delete critical files, or steal sensitive data such as customer information, intellectual property, or credentials. This can result in service outages, data breaches, reputational damage, and regulatory penalties under GDPR. Organizations relying on subscriber-level user uploads for content management or collaboration are particularly vulnerable if they have enabled such permissions. The attack vector is remote and requires only low-privileged authenticated access, which could be obtained via credential theft or weak password policies. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could be leveraged for targeted attacks or widespread exploitation campaigns. The absence of known exploits in the wild currently provides a window for proactive defense, but the high severity score indicates urgent attention is needed.

1. Immediately disable subscriber-level upload permissions in WordPress settings to prevent untrusted users from uploading ZIP archives. 2. Restrict or disable ZIP file uploads entirely if not required by business processes. 3. Implement strict file type validation and scanning on all uploads to detect and block malicious archives. 4. Monitor and audit user uploads and plugin activity logs for suspicious behavior. 5. Apply web application firewall (WAF) rules to detect and block exploitation attempts targeting this vulnerability. 6. Follow the vendor’s updates closely and apply official patches as soon as they become available. 7. Consider isolating WordPress instances or running them with minimal privileges to limit the impact of potential code execution. 8. Educate administrators about the risks of enabling subscriber upload permissions and enforce strong authentication controls to reduce the risk of compromised accounts. 9. Conduct regular security assessments and penetration tests focusing on plugin vulnerabilities and deserialization issues. 10. Backup critical data and have an incident response plan ready in case of exploitation.