Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.4.
Published: 2025-10-22
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress WP Last Modified Info plugin has an Improper Control of Generation of Code (Code Injection) flaw that allows attackers to execute arbitrary PHP code on the host. This vulnerability can be triggered by sending malicious data that the plugin processes, leading to full remote code execution. The weakness is identified as CWE‑94.

Affected Systems

The issue affects the WordPress plugin WP Last Modified Info developed by Sayan Datta, versions up to and including 1.9.4. Any site running this plugin without an updated version is vulnerable.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity. The EPSS score is reported as < 1 %, implying a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers could most likely exploit this flaw remotely from any network level that can reach the WordPress control surface, potentially without needing authentication, as the description indicates remote code inclusion. Based on the description, it is inferred that the exploit can be performed via the WordPress admin interface or an API endpoint that accepts code injection.

Generated by OpenCVE AI on April 29, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Last Modified Info to a version newer than 1.9.4 or to the latest release if available.
  • If an upgrade is not possible, disable the plugin via the WordPress admin interface to prevent malicious code execution.
  • Run a security audit and scan the WordPress installation for other code‑injection or injection flaws, and ensure that all other plugins and the core are kept up to date.

Generated by OpenCVE AI on April 29, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2. Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.4.
Title WordPress WP Last Modified Info plugin <= 1.9.2 - Remote Code Execution (RCE) vulnerability WordPress WP Last Modified Info plugin <= 1.9.4 - Remote Code Execution (RCE) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Sayandatta
Sayandatta wp Last Modified Info
Wordpress
Wordpress wordpress
Vendors & Products Sayandatta
Sayandatta wp Last Modified Info
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
Title WordPress WP Last Modified Info plugin <= 1.9.2 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Sayandatta Wp Last Modified Info
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:05:19.215Z

Reserved: 2025-06-19T10:02:55.536Z

Link: CVE-2025-52756

cve-icon Vulnrichment

Updated: 2025-10-23T15:33:37.957Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:45.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses