CVE-2026-24995
Unknown Unknown - Not Provided
Missing Authorization in Latest Post Shortcode Allows Unauthorized Access

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Patchstack

Description
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24995
EUVD
EUVD-2026-5252
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack latest_post_shortcode to 14.2.0 (inc)
patchstack latest_post_shortcode 14.2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24995 is a Broken Access Control vulnerability found in the WordPress Latest Post Shortcode Plugin versions up to and including 14.2.0.

The issue arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unprivileged users to perform actions that normally require higher privileges.

This means that users with only subscriber-level privileges can exploit this flaw to bypass access controls.

Impact Analysis

This vulnerability allows users with low-level privileges (such as subscribers) to perform actions that should be restricted to higher privilege levels.

While the CVSS severity score is 4.3, indicating a low priority and low impact threat, it still poses a risk of unauthorized access or actions within the affected plugin.

Exploitation could lead to unauthorized changes or access to content managed by the Latest Post Shortcode plugin.

Detection Guidance

This vulnerability arises from missing authorization checks in the Latest Post Shortcode WordPress plugin up to version 14.2.0. Detection typically involves verifying the plugin version installed on your WordPress site.

You can check the plugin version by accessing your WordPress installation and running commands such as:

  • Using WP-CLI: wp plugin list | grep latest-post-shortcode
  • Manually checking the plugin version in the WordPress admin dashboard under Plugins.

Since the vulnerability requires only subscriber-level privileges to exploit, monitoring for unusual actions performed by low-privilege users might also help detect exploitation attempts, but no specific network or system commands are provided.

Mitigation Strategies

The primary mitigation step is to update the Latest Post Shortcode plugin to version 14.2.1 or later, where the vulnerability has been fixed.

Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are patched promptly.

Since the vulnerability is due to broken access control, reviewing and tightening access permissions for subscriber-level users may also reduce risk.

Compliance Impact

The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks.

While the vulnerability could potentially lead to unauthorized access, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

The severity is rated low (CVSS 4.3), and the issue is unlikely to be exploited, which may reduce the risk of compliance violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart