WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more
Description
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.3.2What Changed in the Fix
Changes introduced in v1.3.3
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-2295 (WPZOOM Addons for Elementor) ## 1. Vulnerability Summary The **WPZOOM Addons for Elementor** plugin (up to version 1.3.2) is vulnerable to **Unauthenticated Protected Post Exposure**. The vulnerability exists in the `ajax_post_grid_load_more` function lo…
Show full research plan
Exploitation Research Plan: CVE-2026-2295 (WPZOOM Addons for Elementor)
1. Vulnerability Summary
The WPZOOM Addons for Elementor plugin (up to version 1.3.2) is vulnerable to Unauthenticated Protected Post Exposure. The vulnerability exists in the ajax_post_grid_load_more function located in includes/wpzoom-elementor-ajax-posts-grid.php.
The plugin registers both wp_ajax_wpz_posts_grid_load_more and wp_ajax_nopriv_wpz_posts_grid_load_more hooks, making the functionality accessible to unauthenticated users. While it performs a nonce check, the nonce is frequently exposed on public pages where the "Posts Grid" widget is utilized. Crucially, the function lacks a capability check and allows unauthenticated users to influence the WP_Query parameters via the posts_data JSON object. This allows an attacker to retrieve titles and excerpts of posts with "protected" statuses such as draft, future, and pending.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpz_posts_grid_load_more - Method: POST
- Parameters:
action:wpz_posts_grid_load_more(Required)nonce: A valid WordPress nonce
Summary
The WPZOOM Addons for Elementor plugin is vulnerable to unauthenticated information disclosure via the `ajax_post_grid_load_more` function. By exploiting a missing capability check and a lack of explicit post status restrictions in the AJAX-driven post query, attackers can retrieve sensitive data such as titles and excerpts of draft, pending, or scheduled posts.
Vulnerable Code
// includes/wpzoom-elementor-ajax-posts-grid.php:65 public function ajax_post_grid_load_more() { if ( check_ajax_referer( 'wpz_posts_grid_load_more', 'nonce' ) && wp_verify_nonce( $_POST['nonce'], 'wpz_posts_grid_load_more' ) ) : $offset = sanitize_text_field( $_POST['offset'] ); $data = sanitize_text_field( $_POST['posts_data'] ); $data = json_decode( stripslashes( $data ), true ); self::$settings = $data; $args = array( 'posts_per_page' => absint( $data['posts_per_page'] ), 'post__not_in' => get_option( 'sticky_posts' ), 'ignore_sticky_posts' => true, ); if ( ! empty( $data[ 'category_name' ] ) ) { $args[ 'category_name' ] = $data[ 'category_name' ]; } if ( ! empty( $data[ 'category__not_in' ] ) ) { $args[ 'category__not_in' ] = $data[ 'category__not_in' ]; } // Order by. if ( ! empty( $data[ 'orderby' ] ) ) { $args[ 'orderby' ] = $data[ 'orderby' ]; } // Order . if ( ! empty( $data[ 'order' ] ) ) { $args[ 'order' ] = $data[ 'order' ]; } // Offset . if ( ! empty( $offset ) ) { $args[ 'offset' ] = $offset; } $data['grid_style'] = (int)$data['grid_style']; $grid_style = isset( $data['grid_style'] ) && is_int( $data['grid_style'] ) ? sanitize_file_name ( $data[ 'grid_style' ] ) : '1'; // Post Query $all_posts = new WP_Query( $args );
Security Fix
@@ -74,6 +74,7 @@ self::$settings = $data; $args = array( + 'post_status' => 'publish', 'posts_per_page' => absint( $data['posts_per_page'] ), 'post__not_in' => get_option( 'sticky_posts' ), 'ignore_sticky_posts' => true,
Exploit Outline
The exploit targets the WordPress AJAX endpoint and takes advantage of unauthenticated access to the plugin's post grid loading logic. An attacker first locates a page where the WPZOOM Posts Grid widget is used to extract a valid nonce (action: `wpz_posts_grid_load_more`). Using this nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` set to `wpz_posts_grid_load_more` and a `posts_data` JSON object containing query parameters. Because version 1.3.2 and earlier fail to explicitly define a `post_status` of 'publish' in the `WP_Query` arguments, and lack capability checks, the plugin may return rendered excerpts and titles of posts with internal statuses like 'draft', 'pending', or 'future' in the AJAX response.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.