Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for WP Last Modified Info by infosatech
CVE-2025-14608 (GCVE-0-2025-14608)
Vulnerability from nvd – Published: 2026-02-14 03:25 – Updated: 2026-04-08 17:23
VLAI?
Title
WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Affected:
0 , ≤ 1.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T15:03:12.057618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T15:04:02.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user\u0027s access to a post before modifying its metadata in the \u0027bulk_save\u0027 AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the \u0027post_ids\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:18.991Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca94c815-488f-4d86-a642-39d2de803763?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/tags/1.9.5/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3450167/"
},
{
"url": "https://github.com/iamsayan/wp-last-modified-info/commit/cb3586897c11c3cd55dd63b7ae963243a027c0be"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T03:25:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14608",
"datePublished": "2026-02-14T03:25:28.248Z",
"dateReserved": "2025-12-12T20:11:33.221Z",
"dateUpdated": "2026-04-08T17:23:18.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6864 (GCVE-0-2024-6864)
Vulnerability from nvd – Published: 2024-08-20 04:28 – Updated: 2026-04-08 17:05
VLAI?
Title
WP Last Modified Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘template’ attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Affected:
0 , ≤ 1.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T14:42:53.871143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T11:30:31.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018template\u2019 attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:01.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87368d85-04d4-42e6-9ba6-2a1fc3b945a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Frontend/PostView.php#L205"
},
{
"url": "https://wordpress.org/plugins/wp-last-modified-info/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/#file23"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-19T15:52:33.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6864",
"datePublished": "2024-08-20T04:28:33.896Z",
"dateReserved": "2024-07-17T20:45:42.771Z",
"dateUpdated": "2026-04-08T17:05:01.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14608 (GCVE-0-2025-14608)
Vulnerability from cvelistv5 – Published: 2026-02-14 03:25 – Updated: 2026-04-08 17:23
VLAI?
Title
WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Affected:
0 , ≤ 1.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T15:03:12.057618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T15:04:02.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user\u0027s access to a post before modifying its metadata in the \u0027bulk_save\u0027 AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the \u0027post_ids\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:18.991Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca94c815-488f-4d86-a642-39d2de803763?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/tags/1.9.5/inc/Core/Backend/EditScreen.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3450167/"
},
{
"url": "https://github.com/iamsayan/wp-last-modified-info/commit/cb3586897c11c3cd55dd63b7ae963243a027c0be"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T03:25:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14608",
"datePublished": "2026-02-14T03:25:28.248Z",
"dateReserved": "2025-12-12T20:11:33.221Z",
"dateUpdated": "2026-04-08T17:23:18.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6864 (GCVE-0-2024-6864)
Vulnerability from cvelistv5 – Published: 2024-08-20 04:28 – Updated: 2026-04-08 17:05
VLAI?
Title
WP Last Modified Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode
Summary
The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘template’ attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Last Modified Info |
Affected:
0 , ≤ 1.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T14:42:53.871143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T11:30:31.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Last Modified Info",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018template\u2019 attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:01.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87368d85-04d4-42e6-9ba6-2a1fc3b945a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-last-modified-info/trunk/inc/Core/Frontend/PostView.php#L205"
},
{
"url": "https://wordpress.org/plugins/wp-last-modified-info/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/#file23"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137253/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-19T15:52:33.000Z",
"value": "Disclosed"
}
],
"title": "WP Last Modified Info \u003c= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6864",
"datePublished": "2024-08-20T04:28:33.896Z",
"dateReserved": "2024-07-17T20:45:42.771Z",
"dateUpdated": "2026-04-08T17:05:01.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}