Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WP Last Modified Info plugin allows attackers to modify post metadata
CVE-2025-14608
Summary
The WP Last Modified Info plugin for WordPress is insecure, allowing an attacker with Author-level access to modify the last modified date of any post, including those created by Administrators. This can be exploited through the plugin's bulk_save action. To protect your site, update the plugin to the latest version or remove it if you don't need it.
Original title
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's acces...
Original description
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/iamsayan/wp-last-modified-info/commit/cb3586897c11c3cd55dd63b...
- https://plugins.trac.wordpress.org/browser/wp-last-modified-info/tags/1.9.5/inc/...
- https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/...
- https://plugins.trac.wordpress.org/changeset/3450167/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ca94c815-488f-4d86-a64...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026