WordPress Plugin Vulnerabilities

Latest Post Shortcode < 14.2.1 - Missing Authorization

Description

The Latest Post Shortcode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 14.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
latest-post-shortcode
Fixed in 14.2.1

References

CVE
CVE-2026-24995
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a0aded4-b891-47d9-950e-180103b90a1c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
af0463ec-3ec1-42f9-9b76-8914d524b773

Timeline

Publicly Published
2026-01-24 (about 4 months ago)
Added
2026-02-02 (about 3 months ago)
Last Updated
2026-02-02 (about 3 months ago)

Other

Published
Title
Published
2026-02-07
Title
Shopwell < 1.0.12 - Missing Authorization
Published
2024-12-12
Title
PixProof <= 2.0.1 - Missing Authorization
Published
2024-07-01
Title
Woffice Core < 5.4.9 - Missing Authorization
Published
2024-05-27
Title
Photo Gallery by 10Web < 1.8.26 - Subscriber+ Notice Dismiss
Published
2026-01-01
Title
WP User Frontend < 4.2.5 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion