Executive Summary

The WP Last Modified Info plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 1.9.5. This occurs because the plugin does not properly validate whether a user has permission to access a post before allowing modification of its metadata during the 'bulk_save' AJAX action.

As a result, authenticated users with Author-level access or higher can exploit this flaw to update the last modified metadata and lock the modification date of any arbitrary posts, including those created by Administrators, by manipulating the 'post_ids' parameter.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with Author-level or higher access to modify the last modified date metadata of posts they do not own or have permission to edit. They can lock the modification date, preventing it from being updated automatically.

The impact includes potential misinformation about when content was last updated, which can affect content integrity and trustworthiness. It may also interfere with workflows or auditing processes that rely on accurate modification timestamps.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized modification of post metadata via the 'bulk_save' AJAX action in the WP Last Modified Info plugin. Detection involves monitoring for suspicious bulk edit AJAX requests that modify the last modified metadata of posts without proper permission checks."}, {'type': 'paragraph', 'content': "Since the vulnerability allows authenticated users with Author-level access and above to update last modified metadata of arbitrary posts via the 'post_ids' parameter, detection can focus on monitoring AJAX requests to the 'process_bulk_edit' action that include unexpected or unauthorized post IDs."}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Inspect web server access logs for POST requests to admin-ajax.php with the action parameter set to 'process_bulk_edit'."}, {'type': 'list_item', 'content': "Use grep or similar tools to filter logs for 'action=process_bulk_edit' and analyze the 'post_ids' parameter for unusual or unauthorized post IDs."}, {'type': 'list_item', 'content': 'Example command to search Apache or Nginx logs for suspicious bulk edit AJAX calls:'}, {'type': 'list_item', 'content': "grep 'action=process_bulk_edit' /var/log/apache2/access.log | grep 'post_ids='"}, {'type': 'list_item', 'content': 'Monitor WordPress user activity logs (if available) for bulk edit operations on posts, especially those involving modification of last modified dates.'}, {'type': 'list_item', 'content': "Check the post meta fields '_wplmi_last_modified' and '_lmt_disableupdate' for unexpected changes or locked modification dates on posts that should not be altered."}] [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the WP Last Modified Info plugin to version 1.9.6 or later, where the vulnerability has been fixed by adding proper permission checks during bulk edit operations.

Additional mitigation steps include:

• Restrict bulk edit capabilities to trusted users only, ensuring that only users with appropriate permissions can perform bulk modifications.
• Implement monitoring and alerting on bulk edit AJAX actions to detect unauthorized attempts.
• Review and audit post meta fields related to last modified dates to identify and revert unauthorized changes.
• Apply WordPress security best practices such as limiting plugin access, using strong authentication, and keeping all plugins and WordPress core updated.

Useful 0 Not Useful 0