CVE-2025-14074 MEDIUM

CVE-2025-14074: PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication

Vendor Addonsorg
Product PDF for Contact Form 7 + Drag and Drop Template Builder
Weakness CWE-862 · Missing authorization
Published December 12, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-13687 Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2024-35661 WordPress Upload Fields for WPForms plugin <= 1.0.2 - Broken Access Control vulnerability CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups CVE-2022-36352 WordPress ProfileGrid Plugin <= 5.0.3 is vulnerable to Broken Access Control CVE-2023-33928 WordPress WordPress Backup & Migration plugin <= 1.4.0 - Broken Access Control vulnerability