Description
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.
Published: 2026-02-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

A missing authorization flaw in the Iulia Cazan Latest Post Shortcode plugin allows users to bypass configured access control settings. The weakness is a classic broken access control vulnerability (CWE-862) and can enable an unauthenticated or low‑privilege visitor to read or expose recent post content from the shortcode functionality that should normally be restricted.

Affected Systems

Any WordPress site that has installed the Iulia Cazan Latest Post Shortcode plugin version 14.2.0 or earlier is potentially vulnerable. The plugin is used to insert the most recent post into pages or posts via shortcodes, and the affected releases span from the earliest versions up through 14.2.0.

Risk and Exploitability

Based on the description, it is inferred that attackers would most likely target the plugin’s web interface or shortcode rendering functions, exploiting incorrect role checks to retrieve or display content that should have been hidden. The CVSS base score of 4.3 indicates a low‑to‑moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the weakness leverages incorrect authorization, any user who can inject or request the shortcode could potentially view private posts if access controls are misconfigured.

Generated by OpenCVE AI on April 16, 2026 at 07:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Latest Post Shortcode plugin to a version newer than 14.2.0 where the access control issue has been fixed.
  • Re‑review the plugin’s role‑based settings, ensuring that only trusted user roles are allowed to invoke the shortcode that exposes recent post content.
  • Block direct access to the plugin’s administrative endpoints for non‑administrative roles using WordPress capability checks or server‑level restrictions.
  • Inspect any custom shortcodes or templates that reference the plugin, confirming that proper permission checks guard the display of post data.

Generated by OpenCVE AI on April 16, 2026 at 07:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.
Title WordPress Latest Post Shortcode plugin <= 14.2.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:52.812Z

Reserved: 2026-01-28T09:50:51.018Z

Link: CVE-2026-24995

cve-icon Vulnrichment

Updated: 2026-02-03T16:22:02.828Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:18.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses