CVE-2026-2295 in WPZOOM Addons for Elementor Plugin
Summary
by MITRE • 02/11/2026
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/12/2026
The WPZOOM Addons for Elementor plugin represents a popular extension for WordPress websites that provides various starter templates and widgets to enhance site functionality. This particular vulnerability affects all versions up to and including 1.3.2, creating a significant security gap that undermines the integrity of WordPress content access controls. The issue stems from a fundamental flaw in the plugin's authorization mechanism, specifically within the ajax_post_grid_load_more function which handles dynamic content loading operations. The vulnerability manifests as a missing capability check that should normally verify user permissions before allowing access to protected content.
The technical flaw resides in the improper implementation of access control within the plugin's ajax endpoint. When the ajax_post_grid_load_more function processes requests, it fails to validate whether the requesting user possesses the necessary permissions to view draft, future, or pending posts. This missing capability check creates an unauthorized access vector where any unauthenticated user can submit requests to retrieve sensitive content that should remain hidden from public view. The vulnerability operates at the application layer and specifically targets WordPress's post status system, which includes various content states that require specific user roles for access. This flaw directly violates the principle of least privilege and demonstrates inadequate input validation practices within the plugin's codebase.
The operational impact of this vulnerability extends beyond simple information disclosure, as it allows attackers to harvest protected content that may contain sensitive information, unpublished features, or confidential details. An attacker could systematically enumerate draft posts, future scheduled content, and pending revisions to gather intelligence about upcoming website updates, internal business strategies, or potentially expose confidential information. The vulnerability affects not just individual posts but entire collections of protected content that should remain inaccessible to unauthenticated users. This type of information disclosure can lead to competitive disadvantages, reputational damage, and potential compliance violations depending on the nature of the exposed content.
Security practitioners should recognize this vulnerability as a clear example of insufficient access control mechanisms and improper privilege validation within WordPress plugins. The flaw aligns with common weakness patterns identified in CWE 284, which addresses inadequate access control, and represents a critical gap in the plugin's authorization framework. From an attack perspective, this vulnerability maps to techniques described in the MITRE ATT&CK framework under the T1213 category for Data from Information Repositories, where attackers can extract sensitive data through improper access controls. Organizations should implement immediate mitigation strategies including updating to the latest plugin version, implementing additional access controls at the web server level, and monitoring for unauthorized access attempts. The vulnerability highlights the importance of proper capability checks in AJAX endpoints and underscores the necessity of comprehensive security testing for WordPress plugins before deployment in production environments.