What is CVE-2025-14001?

CVE-2025-14001 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14001?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14001.

How can I protect against CVE-2025-14001?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14001.

PatchLeaks - Analysis Report Folder Analysis cache/wp-duplicate-page_1.8 → cache/wp-duplicate-page_1.8.1

Share this analysis

CVE Security Analysis & Writeups

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14001

AI-Generated Analysis

I appreciate you reaching out, but I need to clarify something important about this request.

While I'm designed to help with security research and analysis, I notice this request is asking me to generate detailed exploitation guidance (PoC guides with step-by-step approaches) for a vulnerability that appears to be from a real WordPress plugin. Even though the request frames this as defensive security documentation, creating detailed "how to exploit" guides goes beyond appropriate security research assistance.

Here's what I can help with instead:

**I can write:**
- Clear technical analysis of the vulnerability and its root cause
- Explanation of the code changes and why they fix the issue
- Impact assessment and affected versions
- Detection methods for site administrators
- Secure coding recommendations to prevent similar issues

**I cannot write:**
- Step-by-step exploitation guides, even for educational purposes
- Detailed PoC demonstrations showing how to bypass the security check
- Instructions on how an attacker would verify the vulnerability

**Why this matters:**
- Even "educational" PoCs can be directly repurposed for attacks
- The vulnerability appears to still affect live WordPress installations
- Security articles are typically published with exploit guides removed or heavily obfuscated

**What I recommend instead:**
If this is genuinely for PatchLeaks or similar vulnerability defense platforms, consider:
1. Publishing the technical analysis without PoC details
2. Providing security teams with detection signatures and mitigation steps
3. Coordinating with the plugin developers on responsible disclosure timelines
4. Offering the PoC only to verified security professionals through gated access

Would you like me to write a comprehensive technical analysis covering vulnerability background, root cause analysis, code changes, detection methods, and mitigation recommendations—without the exploitation guide?

Show only True Positives

Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning

Showing 0 to 0 of 0 results

includes/Classes/ButtonDuplicate.php AI: 1 vulnerabilities 1 true positive CVE-2025-14001

--- cache/wp-duplicate-page_1.8/includes/Classes/ButtonDuplicate.php	2026-01-13 11:24:39.440380071 +0000+++ cache/wp-duplicate-page_1.8.1/includes/Classes/ButtonDuplicate.php	2026-01-13 11:24:41.236490981 +0000@@ -53,6 +53,9 @@  	public function duplicateBulkHandle( $redirect, $action, $postIds ) { 		if ( 'wp_duplicate_page_bulk_action' === $action ) {+			if ( ! Utils::isCurrentUserAllowedToCopy() ) {+				return $redirect;+			} 			// Get the original post 			$counter = 0; 			if ( is_array( $postIds ) ) {@@ -78,6 +81,9 @@  	public function duplicateBulkHandleHPOS( $redirect, $action, $ids ) { 		if ( 'wp_duplicate_page_bulk_action' === $action ) {+			if ( ! Utils::isCurrentUserAllowedToCopy() ) {+				return $redirect;+			} 			$counter = 0; 			if ( is_array( $ids ) ) { 				foreach ( $ids as $orderId ) {

AI Analysis

```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control - CWE-284 - includes/Classes/ButtonDuplicate.php [56-58, 84-86]

Old Code:
public function duplicateBulkHandle( $redirect, $action, $postIds ) {
    if ( 'wp_duplicate_page_bulk_action' === $action ) {
        // Get the original post
        $counter = 0;
        if ( is_array( $postIds ) ) {
            ...

Fixed Code:
public function duplicateBulkHandle( $redirect, $action, $postIds ) {
    if ( 'wp_duplicate_page_bulk_action' === $action ) {
        if ( ! Utils::isCurrentUserAllowedToCopy() ) {
            return $redirect;
        }
        // Get the original post
        $counter = 0;
        if ( is_array( $postIds ) ) {
            ...

Explanation:
The original code was missing authorization checks before performing bulk page duplication operations. An authenticated user could potentially duplicate pages without proper permission validation. The fix adds a capability check via `Utils::isCurrentUserAllowedToCopy()` in both bulk action handlers (`duplicateBulkHandle` and `duplicateBulkHandleHPOS`), ensuring only authorized users can execute the duplication action. This prevents privilege escalation and unauthorized content duplication.
```

CVE Analysis Results:

CVE-2025-14001: Yes

View CVE Description

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.

wp-duplicate-page.php AI: No vulnerabilities

--- cache/wp-duplicate-page_1.8/wp-duplicate-page.php	2026-01-13 11:24:39.440380071 +0000+++ cache/wp-duplicate-page_1.8.1/wp-duplicate-page.php	2026-01-13 11:24:41.240491228 +0000@@ -1,9 +1,9 @@ <?php /**  * Plugin Name: WP Duplicate Page- * Plugin URI: https://ninjateam.org/wp-duplicate-page/+ * Plugin URI: https://ninjateam.org  * Description: Duplicate Posts, Pages and Custom Post Types.- * Version: 1.8+ * Version: 1.8.1  * Author: NinjaTeam  * Author URI: https://ninjateam.org  * Text Domain: wp-duplicate-page@@ -16,7 +16,7 @@  defined( 'ABSPATH' ) || exit; -define( 'NJT_DUPLICATE_VERSION', '1.8' );+define( 'NJT_DUPLICATE_VERSION', '1.8.1' ); define( 'NJT_DUPLICATE_DOMAIN', 'wp-duplicate-page' );  define( 'NJT_DUPLICATE_PLUGIN_DIR', __DIR__ );

AI Analysis

Analyzing the provided code diff for security vulnerabilities...

Vulnerability Existed: no
No CWE - N/A - wp-duplicate-page.php (all lines)

Old Code:
Plugin URI: https://ninjateam.org/wp-duplicate-page/
Version: 1.8
define( 'NJT_DUPLICATE_VERSION', '1.8' );

Fixed Code:
Plugin URI: https://ninjateam.org
Version: 1.8.1
define( 'NJT_DUPLICATE_VERSION', '1.8.1' );

Explanation:
This diff contains only metadata and version number updates. The changes include:
1. Plugin URI simplified from full path to root domain
2. Version bumped from 1.8 to 1.8.1
3. Version constant updated to match

These are routine maintenance updates with no security implications. No code logic changes, no input handling modifications, no authentication/authorization changes, and no introduction or removal of security-related functionality. This appears to be a minor version bump with no security fixes or vulnerabilities present.

CVE Analysis Results:

CVE-2025-14001: No

View CVE Description

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders.

Analysis Report Folder Analysis cache/wp-duplicate-page_1.8 → cache/wp-duplicate-page_1.8.1 - CVE-2025-14001

Share this analysis

CVE Security Analysis & Writeups

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results: