Atomic Edge analysis of CVE-2026-24995:
The Latest Post Shortcode WordPress plugin, versions up to and including 14.2.0, contains a missing authorization vulnerability. The plugin’s cache reset functionality lacks a capability check, allowing any authenticated user, including those with the low-privilege Subscriber role, to trigger the action. This flaw violates the principle of least privilege and provides unauthorized access to a plugin administrative function.
Atomic Edge research identifies the root cause in the `lps_reset_cache` method within the main plugin file `latest-post-shortcode.php`. The function at line 904 checks for the presence of a `no-cache` GET parameter but performs no verification of the requesting user’s permissions. The function `execute_lps_cache_reset` is called directly, clearing the plugin’s cached data. The vulnerable code path is accessible via a simple HTTP GET request to any page where the plugin is active, as the method hooks into WordPress’s `wp_loaded` action.
An attacker exploits this vulnerability by sending an authenticated HTTP GET request containing the `no-cache` parameter. The attack vector does not require a specific endpoint; the request can be sent to any front-end or admin page. The payload is the query string `?no-cache=1`. Any authenticated user, regardless of role, can trigger the cache reset, causing a denial-of-service condition for the plugin’s performance features and potentially disrupting site functionality that relies on cached post data.
The patch in version 14.2.1 adds a comprehensive authorization check. The updated `lps_reset_cache` function now validates a nonce (`lps-modal-actions`), confirms the user is logged in, and checks that the user possesses at least the Contributor role. The fix introduces a `verify` GET parameter for the nonce check. The patch also updates the JavaScript localization in `assets.php` to include this nonce, ensuring legitimate admin UI requests remain functional. Before the patch, the function executed unconditionally. After the patch, execution requires a valid nonce and a user role of Contributor, Author, Editor, or Administrator.
Successful exploitation allows low-privileged attackers to perform an administrative action. The immediate impact is a denial-of-service condition where the plugin’s cache is forcibly cleared, potentially degrading site performance. Repeated exploitation could cause resource consumption. While the action does not directly lead to data compromise or code execution, it represents a clear integrity violation where unauthorized users can alter plugin state and affect site behavior.