CVE-2025-14608 Overview
The WP Last Modified Info plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 1.9.5. The vulnerability exists because the plugin fails to properly validate a user's access to a post before allowing modifications to its metadata through the bulk_save AJAX action. This allows authenticated attackers with Author-level access or above to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators, via the post_ids parameter.
Critical Impact
Authenticated attackers with Author-level privileges can manipulate post metadata for any post on the WordPress site, including Administrator-owned content, potentially disrupting content management workflows and SEO integrity.
Affected Products
- WP Last Modified Info plugin for WordPress versions up to and including 1.9.5
Discovery Timeline
- 2026-02-14 - CVE-2025-14608 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-14608
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization). The core issue lies in the bulk_save AJAX action handler within the EditScreen.php file of the WP Last Modified Info plugin. When processing bulk edit requests, the plugin accepts an array of post IDs through the post_ids parameter and proceeds to modify the last modified metadata for those posts without verifying whether the requesting user has permission to edit each individual post.
In WordPress, proper authorization requires checking whether the current user has the edit_post capability for each specific post ID before performing modifications. The vulnerable code processes the provided post IDs and updates metadata regardless of post ownership or user permissions, creating an authorization bypass condition.
Root Cause
The root cause is missing authorization checks in the bulk_save AJAX action handler. The plugin correctly authenticates that the user is logged in and has at least Author-level access, but fails to implement post-level capability checks. This allows any authenticated user with Author privileges to specify arbitrary post IDs—including those belonging to Administrators or other users—and manipulate their last modified timestamps and lock status.
Attack Vector
An attacker with authenticated Author-level access to a WordPress site can craft a malicious AJAX request to the bulk_save endpoint, supplying arbitrary post IDs in the post_ids parameter along with modified date values. The attack is network-based and requires no user interaction beyond the initial authentication.
The following patch shows the security improvements made to the plugin:
return;
}
- $disabled = $this->get_meta( $post->ID, '_lmt_disableupdate' ) ?: 'no';
+ $disabled = $this->get_meta( $post->ID, '_lmt_disableupdate' ) ?? 'no';
$modified = $this->format_modified_date( $post );
$html = $modified;
Source: GitHub Commit Details
Detection Methods for CVE-2025-14608
Indicators of Compromise
- Unexpected modifications to post last_modified timestamps in the WordPress database
- Unusual AJAX requests to admin-ajax.php with action=bulk_save containing post IDs the requesting user does not own
- Locked modification dates on posts that should have normal update behavior
Detection Strategies
- Monitor WordPress AJAX requests for bulk_save actions that reference post IDs outside the authenticated user's ownership
- Implement database-level auditing on the _lmt_disableupdate and last modified post meta fields
- Review access logs for patterns of POST requests to admin-ajax.php from Author-level accounts targeting Administrator-owned content
Monitoring Recommendations
- Enable WordPress audit logging to track post metadata changes and correlate with user sessions
- Configure web application firewall rules to alert on suspicious bulk edit patterns
- Regularly audit which users have Author-level access and review their activity logs
How to Mitigate CVE-2025-14608
Immediate Actions Required
- Update the WP Last Modified Info plugin to the latest patched version immediately
- Audit existing post metadata for unauthorized modifications to last modified timestamps
- Review WordPress user accounts with Author-level access or above for suspicious activity
- Consider temporarily disabling the plugin if an immediate update is not possible
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix is available in the WordPress Plugin Changeset. Update to the latest version of WP Last Modified Info via the WordPress plugin repository. For detailed technical information about the vulnerability, refer to the Wordfence Vulnerability Report.
Workarounds
- Temporarily deactivate the WP Last Modified Info plugin until the patch can be applied
- Restrict Author-level accounts to only trusted users until the vulnerability is remediated
- Implement a web application firewall rule to block or monitor bulk_save AJAX requests containing suspicious post ID patterns
# WordPress CLI command to check current plugin version
wp plugin list --fields=name,version | grep wp-last-modified-info
# Update the plugin to the latest version
wp plugin update wp-last-modified-info
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
