{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24995", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.018Z", "datePublished": "2026-02-03T14:08:37.390Z", "dateUpdated": "2026-04-28T16:14:52.812Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "latest-post-shortcode", "product": "Latest Post Shortcode", "vendor": "Iulia Cazan", "versions": [{"changes": [{"at": "14.2.1", "status": "unaffected"}], "lessThanOrEqual": "14.2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:01.616Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.</p>"}], "value": "Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.812Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Latest Post Shortcode plugin <= 14.2.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T16:22:06.503787Z", "id": "CVE-2026-24995", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:40:00.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24995", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T16:22:06.503787Z"}}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:22:02.828Z"}}], "cna": {"title": "WordPress Latest Post Shortcode plugin <= 14.2.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Iulia Cazan", "product": "Latest Post Shortcode", "versions": [{"status": "affected", "changes": [{"at": "14.2.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "14.2.0"}], "packageName": "latest-post-shortcode", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:33.430Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:47.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24995", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:40:00.299Z", "dateReserved": "2026-01-28T09:50:51.018Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:37.390Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Iulia Cazan Latest Post Shortcode latest-post-shortcode permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Latest Post Shortcode: desde n/a hasta &lt;= 14.2.0."}], "id": "CVE-2026-24995", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:18.643", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:02:53.336629+00:00", "value": {"mitigation_remediation": ["Upgrade the Latest Post Shortcode plugin to a version newer than 14.2.0 where the access control issue has been fixed.", "Re\u2011review the plugin\u2019s role\u2011based settings, ensuring that only trusted user roles are allowed to invoke the shortcode that exposes recent post content.", "Block direct access to the plugin\u2019s administrative endpoints for non\u2011administrative roles using WordPress capability checks or server\u2011level restrictions.", "Inspect any custom shortcodes or templates that reference the plugin, confirming that proper permission checks guard the display of post data."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the Iulia Cazan Latest Post Shortcode plugin version 14.2.0 or earlier is potentially vulnerable. The plugin is used to insert the most recent post into pages or posts via shortcodes, and the affected releases span from the earliest versions up through 14.2.0.", "description_and_impact": "A missing authorization flaw in the Iulia Cazan Latest Post Shortcode plugin allows users to bypass configured access control settings. The weakness is a classic broken access control vulnerability (CWE-862) and can enable an unauthenticated or low\u2011privilege visitor to read or expose recent post content from the shortcode functionality that should normally be restricted.", "risk_and_exploitability": "Based on the description, it is inferred that attackers would most likely target the plugin\u2019s web interface or shortcode rendering functions, exploiting incorrect role checks to retrieve or display content that should have been hidden. The CVSS base score of 4.3 indicates a low\u2011to\u2011moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the weakness leverages incorrect authorization, any user who can inject or request the shortcode could potentially view private posts if access controls are misconfigured."}}}}, "created": "2026-02-04T12:09:11.531134+00:00", "updated": "2026-04-16T07:15:28.167653+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}