WP-Safety

Ultimate Post Kit Addons for Elementor Security & Risk Analysis

wordpress.org/plugins/ultimate-post-kit

Build your blogs and news sites with a feature-rich Elementor addon, offering 100+ elements for engaging layouts.

30K active installs v4.1.6 PHP 7.0.0+ WP 5.0.0+ Updated Apr 9, 2026
elementorelementor-addonspost-carouselpost-gridposts
96
A · Safe
CVEs total3
Unpatched0
Last CVEMar 18, 2026
Plugin page Download
Safety Verdict

Is Ultimate Post Kit Addons for Elementor Safe to Use in 2026?

Generally Safe

Score 96/100

Ultimate Post Kit Addons for Elementor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Mar 18, 2026Updated 1mo ago
Risk Assessment

The Ultimate Post Kit plugin exhibits a mixed security posture. While it demonstrates good practices in certain areas, such as the high percentage of properly escaped outputs and a significant number of nonce and capability checks, there are notable areas of concern. The substantial attack surface, particularly the 33 AJAX handlers without authentication checks, presents a considerable risk. This exposes the plugin to potential unauthorized actions if an attacker can trick a logged-in user into triggering these endpoints. The taint analysis also identified a concerning number of flows with unsanitized paths, although no critical or high severity issues were flagged in this specific scan, suggesting potential for vulnerabilities that might not have been immediately apparent or exploitable in the analyzed context.

The vulnerability history reveals that the plugin has had a past of medium severity vulnerabilities, specifically Exposure of Sensitive Information and Cross-Site Scripting. The fact that all previously known CVEs are now patched is a positive sign, indicating a responsive development team. However, the presence of these past vulnerability types, combined with the current findings of unprotected entry points and unsanitized paths, suggests a recurring need for rigorous security auditing and development practices. The plugin's strengths lie in its efforts to implement proper output escaping and authorization checks, but these are unfortunately undermined by the large number of unprotected AJAX endpoints.

Key Concerns

  • Large attack surface without auth checks
  • Flows with unsanitized paths found
  • Past medium severity vulnerabilities
Vulnerabilities
3 published

Ultimate Post Kit Addons for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2026-24362medium · 4.3Missing Authorization

Ultimate Post Kit Addons for Elementor <= 4.0.21 - Missing Authorization

Mar 18, 2026 Patched in 4.0.22 (10d)
CVE-2025-14434medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Ultimate Post Kit <= 4.0.15 - Unauthenticated Information Disclosure

Dec 10, 2025 Patched in 4.0.16 (28d)
CVE-2024-5662medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) <= 3.11.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Count (Static) Widget

Jun 27, 2024 Patched in 3.11.8 (1d)
Version History

Ultimate Post Kit Addons for Elementor Release Timeline

v4.1.6Current
v4.1.5
v4.1.4
v4.1.3
v4.1.2
v4.1.1
v4.1.0
v4.0.23
v4.0.22
v4.0.211 CVE
CVE-2026-24362
v4.0.201 CVE
CVE-2026-24362
v4.0.191 CVE
CVE-2026-24362
v4.0.181 CVE
CVE-2026-24362
v4.0.171 CVE
CVE-2026-24362
v4.0.161 CVE
CVE-2026-24362
v4.0.152 CVEs
CVE-2026-24362 CVE-2025-14434
v4.0.142 CVEs
CVE-2026-24362 CVE-2025-14434
v4.0.132 CVEs
CVE-2026-24362 CVE-2025-14434
v4.0.122 CVEs
CVE-2026-24362 CVE-2025-14434
v4.0.112 CVEs
CVE-2026-24362 CVE-2025-14434
Code Analysis
Analyzed Mar 16, 2026

Ultimate Post Kit Addons for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
260
1752 escaped
Nonce Checks
21
Capability Checks
32
File Operations
4
External Requests
6
Bundled Libraries
0

SQL Query Safety

67% prepared3 total queries

Output Escaping

87% escaped2012 total outputs
Data Flows · Security
18 unsanitized

Data Flow Analysis

25 flows18 with unsanitized paths
bdt_duplicate_as_draft (includes\class-duplicator.php:25)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
33 unprotected

Ultimate Post Kit Addons for Elementor Attack Surface

Entry Points52
Unprotected33

AJAX Handlers 52

authwp_ajax_bdt_admin_api_biggopti_dismissadmin\admin-api-biggopti.php:20
authwp_ajax_ultimate-post-kit-biggoptiesadmin\admin-biggopti.php:24
authwp_ajax_upk_fetch_api_biggoptiesadmin\admin-biggopti.php:27
authwp_ajax_upk_save_white_labeladmin\admin-settings.php:56
authwp_ajax_upk_revoke_white_label_tokenadmin\admin-settings.php:57
authwp_ajax_upk_install_pluginadmin\admin-settings.php:61
authwp_ajax_upk_save_custom_codeadmin\admin-settings.php:89
authwp_ajax_ultimate_post_kit_settings_saveadmin\class-settings-api.php:24
authwp_ajax_upk_dynamic_select_input_dataincludes\controls\select-input\dynamic-select-input-module.php:35
authwp_ajax_rc_sdk_insightsincludes\feedback-hub\notice.php:45
authwp_ajax_rc_sdk_dismiss_noticeincludes\feedback-hub\notice.php:46
authwp_ajax_upk_get_pluginsincludes\setup-wizard\class-remote-data-handler.php:40
noprivwp_ajax_upk_get_pluginsincludes\setup-wizard\class-remote-data-handler.php:41
authwp_ajax_setup_wizard_install_pluginsincludes\setup-wizard\init.php:51
authwp_ajax_import_elementor_templateincludes\setup-wizard\init.php:411
authwp_ajax_import_upk_elementor_bundle_templateincludes\setup-wizard\init.php:506
authwp_ajax_import_upk_elementor_bundle_runner_templateincludes\setup-wizard\init.php:601
authwp_ajax_upk_get_pluginsincludes\setup-wizard\ultimate-post-kit-others-plugin.php:26
noprivwp_ajax_upk_get_pluginsincludes\setup-wizard\ultimate-post-kit-others-plugin.php:27
authwp_ajax_upk_install_pluginincludes\setup-wizard\ultimate-post-kit-others-plugin.php:28
noprivwp_ajax_upk_alex_grid_loadmore_postsmodules\alex-grid\module.php:18
authwp_ajax_upk_alex_grid_loadmore_postsmodules\alex-grid\module.php:19
noprivwp_ajax_upk_alice_grid_loadmore_postsmodules\alice-grid\module.php:18
authwp_ajax_upk_alice_grid_loadmore_postsmodules\alice-grid\module.php:19
noprivwp_ajax_upk_alter_grid_loadmore_postsmodules\alter-grid\module.php:18
authwp_ajax_upk_alter_grid_loadmore_postsmodules\alter-grid\module.php:19
noprivwp_ajax_upk_amox_grid_loadmore_postsmodules\amox-grid\module.php:18
authwp_ajax_upk_amox_grid_loadmore_postsmodules\amox-grid\module.php:19
noprivwp_ajax_upk_buzz_list_loadmore_postsmodules\buzz-list\module.php:17
authwp_ajax_upk_buzz_list_loadmore_postsmodules\buzz-list\module.php:18
noprivwp_ajax_upk_elite_grid_loadmore_postsmodules\elite-grid\module.php:17
authwp_ajax_upk_elite_grid_loadmore_postsmodules\elite-grid\module.php:18
noprivwp_ajax_upk_fanel_list_loadmore_postsmodules\fanel-list\module.php:17
authwp_ajax_upk_fanel_list_loadmore_postsmodules\fanel-list\module.php:18
noprivwp_ajax_upk_featured_list_loadmore_postsmodules\featured-list\module.php:17
authwp_ajax_upk_featured_list_loadmore_postsmodules\featured-list\module.php:18
noprivwp_ajax_upk_gratis_grid_loadmore_postsmodules\gratis-grid\module.php:17
authwp_ajax_upk_gratis_grid_loadmore_postsmodules\gratis-grid\module.php:18
noprivwp_ajax_upk_harold_list_loadmore_postsmodules\harold-list\module.php:17
authwp_ajax_upk_harold_list_loadmore_postsmodules\harold-list\module.php:18
noprivwp_ajax_upk_hazel_grid_loadmore_postsmodules\hazel-grid\module.php:17
authwp_ajax_upk_hazel_grid_loadmore_postsmodules\hazel-grid\module.php:18
noprivwp_ajax_upk_maple_grid_loadmore_postsmodules\maple-grid\module.php:17
authwp_ajax_upk_maple_grid_loadmore_postsmodules\maple-grid\module.php:18
authwp_ajax_ultimate_post_kit_mailchimp_subscribemodules\newsletter\module.php:16
noprivwp_ajax_ultimate_post_kit_mailchimp_subscribemodules\newsletter\module.php:17
noprivwp_ajax_upk_ramble_grid_loadmore_postsmodules\ramble-grid\module.php:18
authwp_ajax_upk_ramble_grid_loadmore_postsmodules\ramble-grid\module.php:19
noprivwp_ajax_upk_scott_list_loadmore_postsmodules\scott-list\module.php:17
authwp_ajax_upk_scott_list_loadmore_postsmodules\scott-list\module.php:18
noprivwp_ajax_upk_tiny_list_loadmore_postsmodules\tiny-list\module.php:17
authwp_ajax_upk_tiny_list_loadmore_postsmodules\tiny-list\module.php:18
WordPress Hooks 63
actionwp_dashboard_setupadmin\admin-feeds.php:26
actionadmin_initadmin\admin-settings.php:45
actionadmin_menuadmin\admin-settings.php:46
actionadmin_headadmin\admin-settings.php:58
actionadmin_initadmin\admin-settings.php:67
actionadmin_enqueue_scriptsadmin\admin-settings.php:93
actionadmin_initadmin\admin-settings.php:429
actionadmin_menuadmin\admin-settings.php:430
actionadmin_noticesadmin\admin-settings.php:433
actionadmin_enqueue_scriptsadmin\admin.php:31
actionadmin_initadmin\admin.php:33
actionadmin_initadmin\admin.php:40
actionadmin_enqueue_scriptsadmin\class-settings-api.php:22
actionelementor/widgets/registerbase\ultimate-post-kit-module-base.php:20
actionadmin_action_bdt_duplicate_as_draftincludes\class-duplicator.php:20
filterpost_row_actionsincludes\class-duplicator.php:21
filterpage_row_actionsincludes\class-duplicator.php:22
filterwpml_elementor_widgets_to_translateincludes\class-elements-wpml-compatibility.php:29
actionpre_get_postsincludes\controls\group-query\group-control-query.php:524
actionpre_get_postsincludes\controls\group-query\group-control-query.php:529
filterfound_postsincludes\controls\group-query\group-control-query.php:530
actionelementor/controls/registerincludes\controls\select-input\dynamic-select.php:121
actionadmin_enqueue_scriptsincludes\feedback-hub\notice.php:124
actionadmin_noticesincludes\feedback-hub\notice.php:127
filteruser_contactmethodsincludes\helper.php:95
actionpre_get_postsincludes\helper.php:515
actionelementor/editor/after_enqueue_scriptsincludes\live-copy\class-live-copy.php:10
actioninitincludes\setup-wizard\class-remote-data-handler.php:38
actioninitincludes\setup-wizard\class-remote-data-handler.php:557
actionadmin_enqueue_scriptsincludes\setup-wizard\init.php:52
actionadmin_initincludes\setup-wizard\init.php:53
actionadmin_initincludes\setup-wizard\init.php:54
actionadmin_initincludes\setup-wizard\init.php:55
filterauto_update_translationincludes\setup-wizard\init.php:58
actionadmin_headincludes\setup-wizard\init.php:68
actionadmin_footerincludes\setup-wizard\init.php:120
actionadmin_headincludes\setup-wizard\init.php:160
actioncategory_add_form_fieldsincludes\ultimate-post-kit-category-image.php:5
actioncreated_categoryincludes\ultimate-post-kit-category-image.php:6
actioncategory_edit_form_fieldsincludes\ultimate-post-kit-category-image.php:7
actionedited_categoryincludes\ultimate-post-kit-category-image.php:8
actionadmin_enqueue_scriptsincludes\ultimate-post-kit-category-image.php:9
actionadmin_footerincludes\ultimate-post-kit-category-image.php:10
actionadmin_initincludes\ultimate-post-kit-metabox.php:12
actionsave_postincludes\ultimate-post-kit-metabox.php:13
actionelementor/elements/categories_registeredloader.php:324
actionelementor/initloader.php:325
actionelementor/editor/after_enqueue_stylesloader.php:327
actionelementor/editor/after_enqueue_scriptsloader.php:328
actionwp_enqueue_scriptsloader.php:330
actionwp_enqueue_scriptsloader.php:331
actionwp_enqueue_scriptsloader.php:332
actionwp_enqueue_scriptsloader.php:333
actionelementor/preview/enqueue_stylesloader.php:335
actioninitloader.php:365
actionelementor/frontend/widget/before_rendermodules\animations\module.php:496
filtersocial_share_prefix_classmodules\social-share\widgets\social-share.php:454
actioninitultimate-post-kit.php:35
actionadmin_noticesultimate-post-kit.php:109
actionwp_headultimate-post-kit.php:120
actionwp_footerultimate-post-kit.php:121
actionplugins_loadedultimate-post-kit.php:124
actionadmin_initultimate-post-kit.php:195
Maintenance & Trust

Ultimate Post Kit Addons for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version7.0.0
Downloads1.1M

Community Trust

Rating96/100
Number of ratings57
Active installs30K
Alternatives

Ultimate Post Kit Addons for Elementor Alternatives

AnWP Post Grid and Post Carousel Slider for Elementor

AnWP Post Grid and Post Carousel Slider for Elementor

anwp-post-grid-for-elementor

A
92

Easily create awesome post grids and post carousel sliders. Different widget types, powerful filters, "load more" button and many customizab &hellip;

20K No CVEs
Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

content-views-query-and-display-post-page

A
96

Easy to show posts, pages, custom posts in customizable grid, list, slider, accordion... Available as Widgets (for Elementor), Shortcode, and Blocks.

100K 4 CVEs
Post Grid Addon for Elementor

Post Grid Addon for Elementor

post-grid-elementor-addon

A
99

Addon for the Elementor page builder to display posts in a grid. Useful for generating post grid from your blog posts with multiple options.

20K 2 CVEs
EleSpare – News, Magazine and Blog Addons for Elementor

EleSpare – News, Magazine and Blog Addons for Elementor

elespare

A
99

EleSpare provides pre-designed templates, header/footer builders, and various post layouts for creating stunning news, magazine, and blog sites with E &hellip;

10K 2 CVEs
BlogLentor – Blog Designer Pack for Elementor

BlogLentor – Blog Designer Pack for Elementor

bloglentor-for-elementor

B
79

Design and modify your blog with creative layouts. You can easily design your blog posts with slider, Carousel and different skins with pagination.

5K 1 unpatched
Developer Profile

Ultimate Post Kit Addons for Elementor Developer Profile

bdthemes

24 plugins · 250K total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
21 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Post Kit Addons for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-post-kit/assets/css/frontend.css/wp-content/plugins/ultimate-post-kit/assets/js/frontend.js/wp-content/plugins/ultimate-post-kit/assets/css/upk-slider.css/wp-content/plugins/ultimate-post-kit/assets/js/upk-slider.js/wp-content/plugins/ultimate-post-kit/assets/css/upk-modal.css/wp-content/plugins/ultimate-post-kit/assets/js/upk-modal.js/wp-content/plugins/ultimate-post-kit/assets/css/upk-sticky-column.css/wp-content/plugins/ultimate-post-kit/assets/js/upk-sticky-column.js+155 more
Script Paths
/wp-content/plugins/ultimate-post-kit/assets/js/frontend.js/wp-content/plugins/ultimate-post-kit/assets/js/upk-slider.js/wp-content/plugins/ultimate-post-kit/assets/js/upk-modal.js/wp-content/plugins/ultimate-post-kit/assets/js/upk-sticky-column.js/wp-content/plugins/ultimate-post-kit/assets/js/upk-accordion.js/wp-content/plugins/ultimate-post-kit/assets/js/upk-tabs.js+80 more
Version Parameters
ultimate-post-kit/ultimate-post-kit.php?ver=BDTUPK_VER

HTML / DOM Fingerprints

CSS Classes
upk-sliderupk-modalupk-sticky-columnupk-accordionupk-tabsupk-isotopeupk-countdownupk-toggle-bar+72 more
HTML Comments
<!-- Ultimate Post Kit Admin Settings --><!-- Ultimate Post Kit Pro Widget Map --><!-- Ultimate Post Kit Setup Wizard --><!-- Element pack widget and assets loader -->+8 more
Data Attributes
data-elementor-settingsdata-settings
JS Globals
BDTUPKupk_optionsupk_admin_paramsultimate_post_kit_admin
REST Endpoints
/wp-json/upk/v1/settings/wp-json/upk/v1/get-widgets/wp-json/upk/v1/get-addons/wp-json/upk/v1/get-pro-widgets/wp-json/upk/v1/get-pro-addons/wp-json/upk/v1/get-pro-extensions/wp-json/upk/v1/save-settings/wp-json/upk/v1/save-white-label/wp-json/upk/v1/revoke-white-label-token/wp-json/upk/v1/install-plugin/wp-json/upk/v1/remove-plugin/wp-json/upk/v1/rollback-plugin/wp-json/upk/v1/get-plugin-info/wp-json/upk/v1/check-updates/wp-json/upk/v1/get-plugin-settings
FAQ

Frequently Asked Questions about Ultimate Post Kit Addons for Elementor