CVE-2026-2295 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress. The root cause is a missing capability check in the 'ajax_post_grid_load_more' AJAX handler function, which is responsible for loading additional posts in a grid layout. This flaw allows unauthenticated attackers to invoke this function and retrieve titles and excerpts of posts that are in draft, future, or pending states—content that is normally restricted to authorized users. The vulnerability affects all versions up to and including 1.3.2. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, without affecting integrity or availability. No patches or official fixes are currently listed, and no known exploits have been reported in the wild. The exposure of unpublished content can aid attackers in gathering intelligence about upcoming content, editorial plans, or sensitive information not intended for public disclosure. This can facilitate targeted phishing, social engineering, or more sophisticated attacks against the affected organization’s web infrastructure. The vulnerability is specific to WordPress sites using this plugin, which is popular among users of the Elementor page builder, particularly for creating starter templates and widgets.

For European organizations, the primary impact is the unauthorized disclosure of sensitive or unpublished content, which can undermine editorial confidentiality and potentially expose business plans or sensitive information. This can damage reputation, lead to competitive disadvantage, or facilitate further attacks such as spear phishing. Although the vulnerability does not allow modification or deletion of content, the leakage of draft or pending posts can be critical for media companies, marketing agencies, or any organization relying on WordPress for content management. The impact is heightened for organizations that use this plugin extensively or rely on unpublished content for strategic communications. Additionally, regulatory implications under GDPR may arise if the leaked content includes personal data or information that should be protected under privacy laws. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility mean attackers could quickly develop exploits if motivated.

Organizations should immediately audit their WordPress installations to identify the presence of the WPZOOM Addons for Elementor – Starter Templates & Widgets plugin and verify the version in use. Since no official patch is currently available, temporary mitigations include disabling or removing the plugin until a fix is released. Alternatively, restricting access to the AJAX endpoint 'ajax_post_grid_load_more' via web application firewall (WAF) rules or server-level access controls can prevent unauthenticated requests. Implementing strict capability checks or custom code to validate user permissions before processing AJAX requests is recommended for organizations with development resources. Monitoring web server logs for suspicious access patterns targeting this AJAX function can help detect exploitation attempts. Organizations should also maintain regular backups and ensure their WordPress core and plugins are updated promptly once a patch is released. Finally, reviewing content management workflows to minimize sensitive information exposure in draft or pending posts can reduce risk.