← Zuruck zu CVEs

CVE-2025-14608

MEDIUM

5.3

Beschreibung

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.

CVE Details

CVSS v3.1 Bewertung5.3

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht2/14/2026

Zuletzt geandert2/18/2026

Quellenvd

Honeypot-Sichtungen0

Schwachen (CWE)

CWE-862

Referenzen

https://github.com/iamsayan/wp-last-modified-info/commit/cb3586897c11c3cd55dd63b7ae963243a027c0be(security@wordfence.com)

https://plugins.trac.wordpress.org/browser/wp-last-modified-info/tags/1.9.5/inc/Core/Backend/EditScreen.php#L249(security@wordfence.com)

https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Backend/EditScreen.php#L249(security@wordfence.com)

https://plugins.trac.wordpress.org/changeset/3450167/(security@wordfence.com)

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca94c815-488f-4d86-a642-39d2de803763?source=cve(security@wordfence.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.