WordPress Plugin Vulnerabilities

Latest Post Shortcode < 14.2.2 - Missing Authorization

Description

The Latest Post Shortcode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 14.2.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
latest-post-shortcode
Fixed in 14.2.2

References

CVE
CVE-2026-31916
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/190c8744-b8e0-4722-ae0a-f18d7c058dfe

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Doan Dinh Van (DinhVan52)
Verified
No
WPVDB ID
f373c071-5b56-4386-b704-0e4c435a6ab4

Timeline

Publicly Published
2026-02-03 (about 3 months ago)
Added
2026-04-15 (about 1 month ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2025-02-11
Title
aDirectory – WordPress Directory Listing Plugin < 2.3.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Published
2025-12-18
Title
DirectoryPress – Business Directory And Classified Ad Listing < 3.6.26 - Missing Authorization
Published
2024-06-11
Title
Newsletter - API v1 and v2 addon for Newsletter < 2.4.6 - Missing Authorization to Email Subscribers Management
Published
2025-03-27
Title
WP ERP < 1.14.0 - Missing Authorization
Published
2024-10-23
Title
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce < 2.11.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication