The WP Last Modified Info plugin for WordPress, widely used to display or manage the last modification date of posts, suffers from an authorization bypass vulnerability identified as CVE-2025-14608. The root cause is a missing authorization check in the 'bulk_save' AJAX action handler, which processes requests to update post metadata. Specifically, the plugin fails to verify whether the authenticated user has permission to modify the targeted posts before updating their 'last modified' metadata. This flaw allows any user with Author-level privileges or higher to manipulate the 'post_ids' parameter to update or lock the modification dates of arbitrary posts, including those authored by Administrators. The vulnerability is classified as CWE-862 (Missing Authorization) and constitutes an insecure direct object reference (IDOR) issue. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based with low attack complexity and no user interaction required, but the impact is limited to integrity without affecting confidentiality or availability. There are no known exploits in the wild, and no patches have been released as of the publication date. This vulnerability could be leveraged to mislead users or administrators about the recency or authenticity of content changes, potentially undermining trust or complicating audit trails.

For European organizations, the primary impact of CVE-2025-14608 lies in the integrity of content management systems running WordPress with the vulnerable WP Last Modified Info plugin. Unauthorized modification of post metadata can disrupt content auditing, compliance reporting, and editorial workflows, especially in regulated sectors such as finance, healthcare, and government where accurate record-keeping is critical. While the vulnerability does not expose sensitive data or cause service disruption, it can be exploited by malicious insiders or compromised accounts to obscure unauthorized content changes or create confusion about document timelines. This may indirectly facilitate misinformation, reduce stakeholder trust, or complicate forensic investigations. Organizations relying heavily on WordPress for publishing or internal communications should consider the reputational and operational risks associated with manipulated content metadata.

To mitigate this vulnerability, European organizations should: 1) Immediately restrict Author-level and higher privileges to trusted users only, minimizing the attack surface. 2) Monitor WordPress logs and plugin-specific metadata changes for unusual or unauthorized modification patterns, especially bulk updates via AJAX. 3) Implement additional access control mechanisms at the web application firewall (WAF) or reverse proxy level to detect and block suspicious 'bulk_save' AJAX requests with unexpected 'post_ids' parameters. 4) Temporarily disable or remove the WP Last Modified Info plugin if feasible until an official patch is released. 5) Engage with the plugin vendor or community to track patch availability and apply updates promptly once released. 6) Conduct regular audits of post metadata integrity and cross-verify modification dates with other logs or version control systems. 7) Educate content managers and administrators about the risk of privilege misuse and enforce strong authentication and session management practices to prevent account compromise.