WP Last Modified Info Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WP Last Modified Info plugin for WordPress, affecting all versions through 1.9.5. The issue arises because the plugin fails to properly validate user access to posts before allowing modifications to their metadata via the 'bulk_save' AJAX action. This oversight enables authenticated attackers with Author-level access or higher to alter the last modified information and lock the modification date of any post, including those authored by Administrators, by using the 'post_ids' parameter.

Impact

Exploitation of this vulnerability allows for unauthorized modification of post metadata, specifically the last modified date, and the ability to lock this date, preventing future changes. This could disrupt the accuracy of post timelines and potentially be misused to manipulate content visibility or relevance.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access can send a request to the 'bulk_save' AJAX action without the necessary permission checks. The request can include the 'post_ids' parameter targeting posts created by Administrators, allowing the attacker to modify the last modified metadata and lock the date.

Remediation

Users are advised to update the WP Last Modified Info plugin to version 1.9.6 or later, where this vulnerability has been patched.