CVE-2026-24995

Vulnerability

Overview

The Latest Post Shortcode plugin for WordPress, developed by Iulia Cazan, suffers from a missing authorization vulnerability in versions up to and including 14.2.0 [1]. This flaw enables attackers to exploit incorrectly configured access control security levels, potentially granting unauthorized access to functionality that should be restricted to higher-privileged users.

Exploitation

Conditions

The vulnerability arises from a lack of proper authorization checks, such as missing capability checks or nonce verification, in one or more plugin functions [1]. An attacker does not need to be authenticated, or may require only minimal privileges, to exploit this issue. The attack vector is over the network, and no user interaction is typically required beyond the initial request.

Impact

Successful exploitation allows an unprivileged attacker to perform actions normally reserved for higher-privileged users, such as modifying settings or accessing sensitive data. The CVSS score of 4.3 (Medium) reflects a moderate impact, with limited compromise of confidentiality or integrity.

Mitigation

The vulnerability has been addressed in version 14.2.1 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, temporary measures such as disabling the plugin or seeking assistance from hosting providers may reduce risk. The vendor notes that exploitation is unlikely but still recommends prompt patching.