Description
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
Published: 2026-02-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated data exposure
Action: Patch
AI Analysis

Impact

The WPZOOM Addons for Elementor plugin contains a missing capability check in the ajax_post_grid_load_more function. An unauthenticated attacker can call this Ajax endpoint and retrieve the titles and excerpts of posts that are marked as draft, future, or pending, exposing content that should remain confidential. This results in moderate information disclosure.

Affected Systems

WordPress sites that have the wpzoom:WPZOOM Addons for Elementor – Starter Templates & Widgets plugin installed with a version up to and including 1.3.2 are impacted. The vulnerability is present in all versions of the plugin through 1.3.2.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of real‑world exploitation at this time. The weakness is not currently listed in CISA’s KEV catalog, but the vulnerability can be triggered simply by accessing the public Ajax URL, requiring no prior authentication or complex conditions. If exploited, an attacker gains read access to protected post content, potentially revealing sensitive information or compromising user privacy.

Generated by OpenCVE AI on April 15, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPZOOM Addons for Elementor – Starter Templates & Widgets plugin to version 1.3.3 or later, which removes the missing capability check.
  • If an immediate update is not possible, disable the ajax_post_grid_load_more endpoint by preventing public access to the ajax URL using web server rules (e.g., .htaccess or Nginx configuration).
  • Review content visibility settings and enforce stricter role‑based access controls to ensure protected posts remain inaccessible to unauthenticated users.

Generated by OpenCVE AI on April 15, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor – Starter Templates & Widgets
Vendors & Products Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor – Starter Templates & Widgets

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
Title WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpzoom Wpzoom Addons For Elementor – Starter Templates & Widgets
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:06.404Z

Reserved: 2026-02-10T16:22:48.874Z

Link: CVE-2026-2295

cve-icon Vulnrichment

Updated: 2026-02-11T15:20:29.447Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T10:15:51.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses