216.73.216.204

CVE-2025-14608

· Published 14/02/2026 04:15 · Modified 14/02/2026 04:15

Labels: CVE-2025-14608 2026-02-14CVE-2025-14608CWE-862[email protected]

Essential information

Published
14/02/2026 04:15
Modified
14/02/2026 04:15
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / wp last modified info cpe:2.3:a:wordpress:wp_last_modified_info:*:*:*:*:*:wordpress:*:*

References