The WP Last Modified Info plugin for WordPress, widely used to display the last modification date of posts, suffers from a missing authorization vulnerability classified as CWE-862. Specifically, in the 'bulk_save' AJAX action, the plugin fails to verify whether the authenticated user has permission to modify the metadata of the specified posts. This results in an insecure direct object reference (IDOR) vulnerability, allowing any user with Author-level privileges or higher to update the 'last modified' metadata of arbitrary posts by manipulating the 'post_ids' parameter. Since Authors typically have rights to edit their own posts but not others', this flaw escalates their ability to alter metadata on posts they do not own, including those created by Administrators. The vulnerability affects all plugin versions up to and including 1.9.5. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and no user interaction, but does not impact confidentiality or availability, only integrity of metadata. No patches or fixes are currently linked, and no known exploits have been observed in the wild. This vulnerability can be leveraged to misrepresent content modification history, potentially undermining editorial processes, audit trails, and content authenticity verification.

The primary impact of CVE-2025-14608 is the unauthorized modification of post metadata, specifically the 'last modified' date, which can undermine the integrity of content management and auditing processes. Attackers with Author-level access can manipulate modification timestamps on posts they do not own, including those by Administrators, potentially misleading site administrators, editors, and users about the freshness or authenticity of content. This could be exploited to cover unauthorized content changes, evade detection of malicious edits, or disrupt editorial workflows. While it does not directly compromise content confidentiality or site availability, the integrity loss can have reputational consequences and complicate forensic investigations. Organizations relying on WP Last Modified Info for compliance or content verification may face increased risk of misinformation or audit failures. The vulnerability requires authenticated access at Author level or higher, limiting exposure to internal or compromised accounts rather than anonymous attackers.

To mitigate CVE-2025-14608, organizations should first check for and apply any available patches or updates from the plugin vendor once released. In the absence of an official patch, administrators can implement the following practical measures: 1) Restrict Author-level user permissions to the minimum necessary, avoiding granting this role to untrusted users. 2) Temporarily disable or remove the WP Last Modified Info plugin if it is not critical to site operations. 3) Implement custom code or use security plugins to add authorization checks on AJAX actions related to post metadata modification, ensuring users can only modify metadata for posts they own or have explicit rights to edit. 4) Monitor logs for suspicious bulk_save AJAX requests or unusual modification patterns of post metadata. 5) Educate content editors and administrators to verify modification dates and audit content changes regularly. 6) Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block unauthorized attempts to manipulate the 'post_ids' parameter in AJAX requests. These steps help reduce the risk until an official fix is available.