CVE-2026-2295
Unauthorized Data Access in WPZOOM Addons via Missing Capability Check
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpzoom | wpzoom_elementor_addons | to 1.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The WPZOOM Addons for Elementor β Starter Templates & Widgets plugin for WordPress has a vulnerability due to a missing capability check in the 'ajax_post_grid_load_more' function in all versions up to 1.3.2. This flaw allows unauthenticated attackers to access protected post titles and excerpts, including drafts, future, and pending posts, which should normally be inaccessible to them."}, {'type': 'paragraph', 'content': 'Technically, the vulnerability arises from an insecure AJAX handler that processes user input insufficiently. Although nonce verification is implemented, the plugin dynamically includes layout files based on user-supplied input that is only lightly sanitized, potentially leading to Local File Inclusion (LFI) attacks. Additionally, the construction of the WP_Query arguments from decoded JSON data lacks strict validation, which may allow injection of unexpected values and unintended information disclosure.'}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to retrieve protected content from your WordPress site, such as titles and excerpts of draft, future, or pending posts that should not be publicly accessible.
Furthermore, the potential for Local File Inclusion (LFI) attacks due to dynamic inclusion of layout files based on user input could allow attackers to execute arbitrary code or access sensitive files on the server.
Overall, this could lead to unauthorized data disclosure and possibly compromise the security and integrity of your website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized access to protected post data via the AJAX handler 'ajax_post_grid_load_more' in the WPZOOM Elementor Addons plugin. Detection can focus on monitoring AJAX requests to the endpoint handling 'wpz_posts_grid_load_more' actions, especially those coming from unauthenticated users."}, {'type': 'paragraph', 'content': "You can detect exploitation attempts by inspecting HTTP POST requests targeting the AJAX handler with parameters such as 'nonce', 'offset', and 'posts_data'. Look for requests that retrieve draft, future, or pending post titles and excerpts without proper authentication."}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to grep for AJAX requests related to 'wpz_posts_grid_load_more':\n`grep 'wpz_posts_grid_load_more' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': "Using curl to simulate a request and check response for unauthorized data exposure:\n`curl -X POST -d 'action=wpz_posts_grid_load_more&nonce=invalid_nonce&offset=0&posts_data={}' https://yourwordpresssite.com/wp-admin/admin-ajax.php`"}, {'type': 'list_item', 'content': "Monitoring WordPress AJAX requests in real-time with tools like tcpdump or Wireshark filtering for 'admin-ajax.php' POST requests."}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation step is to update the WPZOOM Elementor Addons plugin to version 1.3.3 or later, as this version includes changes that restrict the post status queried to 'publish' only, preventing unauthorized access to draft, future, or pending posts."}, {'type': 'paragraph', 'content': "If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the AJAX handler by implementing additional capability checks or firewall rules to block unauthenticated AJAX requests targeting 'wpz_posts_grid_load_more'."}, {'type': 'paragraph', 'content': 'Additionally, review and harden nonce verification and sanitize inputs more strictly if you maintain a custom or patched version of the plugin.'}] [3, 2]