Vulnerabilities and security researches forwp-last-modified-info wp-last-modified-info

Jun 07, 2024

CVE, Research URL: cf2c92fbf1bee09f0bae8aa3766d1fc64b84a72e
Home page URL: Security reports for WP Last Modified Info
Application: WP Last Modified Info
Date: Apr 03, 2020
Research Description: WP Last Modified Info [wp-last-modified-info] < 1.6.6 WordPress WP Last Modified Info plugin <= 1.6.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Jeroen Mulder in WordPress WP Last Modified Info plugin (versions <= 1.6.5).
Affected versions: max 1.6.6.
Status: vulnerable

Aug 21, 2024

CVE, Research URL: CVE-2024-6864
Home page URL: Security reports for WP Last Modified Info
Application: WP Last Modified Info
Date: Aug 20, 2024
Research Description: The WP Last Modified Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘template’ attribute of the lmt-post-modified-info shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.9.1.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-52756
Home page URL: Security reports for WP Last Modified Info
Application: WP Last Modified Info
Date: Oct 22, 2025
Research Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
Affected versions: max 1.9.2.
Status: vulnerable

Mar 30, 2026

CVE, Research URL: CVE-2025-14608
Home page URL: Security reports for WP Last Modified Info
Application: WP Last Modified Info
Date: Feb 14, 2026
Research Description: The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
Affected versions: max 1.9.6.
Status: vulnerable