Skip to main content

Latest Post Shortcode EUVDEUVD-2026-11790

| CVE-2026-31916 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11790
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.1.

AnalysisAI

Latest Post Shortcode plugin through version 14.2.1 contains an authorization bypass that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects websites running the vulnerable plugin versions and could enable unauthorized data manipulation without requiring user interaction or authentication. No patch is currently available for this issue.

Technical ContextAI

The Latest Post Shortcode plugin is a WordPress plugin that provides shortcode functionality for displaying latest posts. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly validate user permissions before allowing sensitive operations. The root cause involves inadequate checking of user capabilities before processing shortcode parameters or admin actions, allowing the shortcode rendering or associated AJAX handlers to execute privileged operations without verifying the current user's authentication status or role. WordPress plugins typically implement authorization through functions like current_user_can() and checking nonces, which appear to be missing or improperly implemented in this shortcode's request handling logic.

RemediationAI

Immediately upgrade the Latest Post Shortcode plugin to the latest available version beyond 14.2.1 from the WordPress plugin repository. The primary remediation is patching to a version that includes proper authorization checks for shortcode processing and any associated AJAX or admin handlers. Until patching is completed, administrators should consider disabling or removing the plugin if it is not actively used. Additional preventive measures include restricting WordPress administrative access to trusted IP ranges, enforcing strong authentication for all WordPress users, enabling WordPress security plugins that monitor for unauthorized data modifications, and regularly auditing post revision history for unexpected changes. Review WordPress user roles and ensure the principle of least privilege is applied to all user accounts.

Share

EUVD-2026-11790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy