CVE-2026-24995
Missing Authorization in Latest Post Shortcode Allows Unauthorized Access
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | latest_post_shortcode | to 14.2.0 (inc) |
| patchstack | latest_post_shortcode | 14.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks.
While the vulnerability could potentially lead to unauthorized access, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
The severity is rated low (CVSS 4.3), and the issue is unlikely to be exploited, which may reduce the risk of compliance violations.
Can you explain this vulnerability to me?
CVE-2026-24995 is a Broken Access Control vulnerability found in the WordPress Latest Post Shortcode Plugin versions up to and including 14.2.0.
The issue arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unprivileged users to perform actions that normally require higher privileges.
This means that users with only subscriber-level privileges can exploit this flaw to bypass access controls.
How can this vulnerability impact me? :
This vulnerability allows users with low-level privileges (such as subscribers) to perform actions that should be restricted to higher privilege levels.
While the CVSS severity score is 4.3, indicating a low priority and low impact threat, it still poses a risk of unauthorized access or actions within the affected plugin.
Exploitation could lead to unauthorized changes or access to content managed by the Latest Post Shortcode plugin.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization checks in the Latest Post Shortcode WordPress plugin up to version 14.2.0. Detection typically involves verifying the plugin version installed on your WordPress site.
You can check the plugin version by accessing your WordPress installation and running commands such as:
- Using WP-CLI: wp plugin list | grep latest-post-shortcode
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
Since the vulnerability requires only subscriber-level privileges to exploit, monitoring for unusual actions performed by low-privilege users might also help detect exploitation attempts, but no specific network or system commands are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Latest Post Shortcode plugin to version 14.2.1 or later, where the vulnerability has been fixed.
Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are patched promptly.
Since the vulnerability is due to broken access control, reviewing and tightening access permissions for subscriber-level users may also reduce risk.