Attack Vectors
WP Last Modified Info (slug: wp-last-modified-info) has a Medium-severity vulnerability (CVE-2025-14608, CVSS 5.3) affecting versions up to and including 1.9.5. It involves an Insecure Direct Object Reference (IDOR) in an AJAX action called bulk_save, where the plugin does not verify whether a user is allowed to modify the targeted post.
As a result, an authenticated user with Author-level access or higher can submit requests that include a post_ids parameter and modify “last modified” metadata for posts they should not control—including content created by Administrators.
In practical terms, this can be abused by internal accounts or compromised credentials (for example, a staff member’s account or a third-party contractor account with Author access) to alter site-wide content metadata at scale, without needing admin permissions for those specific posts.
Security Weakness
The core weakness is a missing authorization check: the plugin updates post metadata through its bulk_save AJAX handler without validating the requester’s access rights for each post being modified.
This is a classic access-control gap where the application trusts the object identifier (the list of post IDs) supplied by the user, instead of enforcing “who can edit what” on the server side.
Technical or Business Impacts
Brand and content integrity risk: Marketing and communications teams often rely on “last updated” signals to build trust and demonstrate freshness. If an Author-level account can update or lock modification dates across arbitrary posts, your public-facing content can appear misleadingly current—or artificially stale—without proper editorial control.
Governance and compliance concerns: For regulated organizations or teams operating under internal change-control policies, unauthorized changes to content metadata can undermine auditability. Even when the content itself is unchanged, metadata manipulation can create confusion about when information was last reviewed or approved.
Operational disruption: Editorial workflows, approvals, and scheduled updates can be impacted if modification metadata is altered or locked unexpectedly, leading to rework, disputes over version history, and reduced confidence in reporting dashboards that track content updates.
Scope of impact: The issue is limited to modification of last modified metadata (Integrity impact is rated Low in the CVSS vector), but it can still have outsized business consequences because it affects how stakeholders and customers interpret your site’s accuracy and timeliness.
Severity and action: This is rated Medium. The recommended remediation is to update WP Last Modified Info to version 1.9.6 or newer to address the authorization gap.
Similar Attacks
IDOR and missing authorization checks are a common cause of “horizontal privilege escalation,” where a legitimate user accesses or changes resources they do not own. Public examples include:
PortSwigger: Insecure Direct Object References (IDOR)
OWASP: IDOR Prevention Cheat Sheet
MITRE CWE-639: Authorization Bypass Through User-Controlled Key
Recent Comments