WordPress Plugin Vulnerabilities

WPZOOM Addons for Elementor – Starter Templates & Widgets < 1.3.3 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more

Description

The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.

Affects Plugins

Plugin icon
wpzoom-elementor-addons
Fixed in 1.3.3

References

CVE
CVE-2026-2295
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9961347-7c47-4fa1-af35-609c39a6cd8b

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
19508e67-80f3-4716-89f1-0f3ff001acfe

Timeline

Publicly Published
2026-02-10 (about 3 months ago)
Added
2026-02-10 (about 3 months ago)
Last Updated
2026-02-11 (about 3 months ago)

Other

Published
Title
Published
2023-09-11
Title
WooCommerce < 7.0.1 - Authenticated(Shop Manager+) Sensitive Information Exposure
Published
2025-04-04
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.6.0 - Authenticated (Subscriber+) Sensitive Information Exposure
Published
2024-02-08
Title
Passster – Password Protect Pages and Content < 4.2.6.3 - Missing Authorization to Sensitive Information Exposure
Published
2024-04-05
Title
WordPress Backup & Migration < 1.4.8 - Unauthenticated Sensitive Information Exposure
Published
2024-02-02
Title
WP Visitor Statistics (Real Time Traffic) < 6.9.5 - Sensitive Information Exposure via Log File