Refine your search
2 vulnerabilities found for WP Last Modified Info by infosatech
CVE-2025-14608 (GCVE-0-2025-14608)
Vulnerability from cvelistv5
Published
2026-02-14 03:25
Modified
2026-04-08 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Version: 0 ≤ 1.9.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T15:03:12.057618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T15:04:02.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user\u0027s access to a post before modifying its metadata in the \u0027bulk_save\u0027 AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the \u0027post_ids\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:18.991Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca94c815-488f-4d86-a642-39d2de803763?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/tags/1.9.5/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3450167/"
},
{
"url": "https://github.com/iamsayan/wp-last-modified-info/commit/cb3586897c11c3cd55dd63b7ae963243a027c0be"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T03:25:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14608",
"datePublished": "2026-02-14T03:25:28.248Z",
"dateReserved": "2025-12-12T20:11:33.221Z",
"dateUpdated": "2026-04-08T17:23:18.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6864 (GCVE-0-2024-6864)
Vulnerability from cvelistv5
Published
2024-08-20 04:28
Modified
2026-04-08 17:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘template’ attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Version: 0 ≤ 1.9.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T14:42:53.871143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T11:30:31.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018template\u2019 attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:01.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87368d85-04d4-42e6-9ba6-2a1fc3b945a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Frontend/PostView.php#L205"
},
{
"url": "https://wordpress.org/plugins/wp-last-modified-info/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/#file23"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-19T15:52:33.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6864",
"datePublished": "2024-08-20T04:28:33.896Z",
"dateReserved": "2024-07-17T20:45:42.771Z",
"dateUpdated": "2026-04-08T17:05:01.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}