Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.1.
AnalysisAI
Latest Post Shortcode plugin through version 14.2.1 contains an authorization bypass that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects websites running the vulnerable plugin versions and could enable unauthorized data manipulation without requiring user interaction or authentication. No patch is currently available for this issue.
Technical ContextAI
The Latest Post Shortcode plugin is a WordPress plugin that provides shortcode functionality for displaying latest posts. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly validate user permissions before allowing sensitive operations. The root cause involves inadequate checking of user capabilities before processing shortcode parameters or admin actions, allowing the shortcode rendering or associated AJAX handlers to execute privileged operations without verifying the current user's authentication status or role. WordPress plugins typically implement authorization through functions like current_user_can() and checking nonces, which appear to be missing or improperly implemented in this shortcode's request handling logic.
RemediationAI
Immediately upgrade the Latest Post Shortcode plugin to the latest available version beyond 14.2.1 from the WordPress plugin repository. The primary remediation is patching to a version that includes proper authorization checks for shortcode processing and any associated AJAX or admin handlers. Until patching is completed, administrators should consider disabling or removing the plugin if it is not actively used. Additional preventive measures include restricting WordPress administrative access to trusted IP ranges, enforcing strong authentication for all WordPress users, enabling WordPress security plugins that monitor for unauthorized data modifications, and regularly auditing post revision history for unexpected changes. Review WordPress user roles and ensure the principle of least privilege is applied to all user accounts.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11790