Description
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
Published: 2026-02-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Metadata Modification
Action: Patch Plugin
AI Analysis

Impact

The vulnerability arises because WP Last Modified Info does not validate that a user has appropriate access before modifying post metadata in the bulk_save AJAX action. As a result, any authenticated user with Author-level privileges or higher can change the last modified timestamp and lock the modification date of any post, including posts owned by administrators. This flaw enables unauthorized modification of post metadata, which can be used to conceal tampering, disrupt auditing processes, or disrupt normal content editing workflows.

Affected Systems

The issue affects the WP Last Modified Info plugin for WordPress, specifically all releases up to and including version 1.9.5. The plugin is distributed by infosatech. WordPress sites that have this plugin installed and any authenticated user with Author or higher role are at risk.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is considered moderate. The EPSS score indicates a very low likelihood of exploitation (<1%). It is not listed in the CISA KEV catalog, so there is no evidence of widespread commercial exploitation. The attack requires the attacker to be authenticated on the target WordPress site with at least Author-level permissions, and to craft a bulk_save AJAX request that targets arbitrary post IDs. Because the flaw relies on missing authorization checks, it can be weaponized by users already present in the system, but it does not require any additional network access or privilege escalation.

Generated by OpenCVE AI on April 20, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Last Modified Info to a version newer than 1.9.5 where the bulk_save authorization check is enforced (if such a release is available).
  • If an upgrade is not immediately possible, restrict the bulk_save AJAX endpoint to administrators only by adding a role check or by disabling the endpoint through a custom code snippet or configuration file.
  • Monitor site activity for suspicious bulk_save requests and temporarily block offending IP addresses or users until the plugin can be patched.

Generated by OpenCVE AI on April 20, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Infosatech
Infosatech wp Last Modified Info
Wordpress
Wordpress wordpress
Vendors & Products Infosatech
Infosatech wp Last Modified Info
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
Description The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
Title WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Infosatech Wp Last Modified Info
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:18.991Z

Reserved: 2025-12-12T20:11:33.221Z

Link: CVE-2025-14608

cve-icon Vulnrichment

Updated: 2026-02-17T15:03:46.424Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T04:15:56.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses