CVE-2026-2295 is a vulnerability identified in the WPZOOM Addons for Elementor – Starter Templates & Widgets WordPress plugin, specifically in versions up to and including 1.3.2. The root cause is a missing capability check in the 'ajax_post_grid_load_more' AJAX function, which is intended to load post grid content dynamically. Due to this missing authorization control, unauthenticated attackers can invoke this function to retrieve titles and excerpts of posts that are normally protected, such as drafts, future scheduled posts, and pending posts. These posts are not publicly visible and typically contain sensitive or unpublished information. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely over the network without authentication or user interaction, impacting confidentiality only. There is no impact on integrity or availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin up to 1.3.2, which is widely used by WordPress sites employing Elementor page builder and WPZOOM's starter templates and widgets. The exposure of unpublished post content could lead to information leakage, potentially aiding further attacks or revealing sensitive business or personal data.

The primary impact of CVE-2026-2295 is unauthorized disclosure of sensitive unpublished content on WordPress sites using the vulnerable WPZOOM plugin. This can compromise confidentiality by exposing draft or scheduled posts that may contain proprietary information, internal communications, or other sensitive data not intended for public viewing. While the vulnerability does not allow modification or deletion of content, the leaked information could facilitate social engineering, reconnaissance for targeted attacks, or reputational damage if sensitive content is exposed. Organizations relying on WordPress for content management, especially those using Elementor and WPZOOM plugins, face increased risk of data leakage. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate scanning and data harvesting at scale. Although no known exploits exist yet, the vulnerability's public disclosure increases the likelihood of exploitation attempts. The impact is more pronounced for organizations publishing sensitive or confidential drafts and for websites with high visibility or strategic importance.

1. Immediately verify the version of WPZOOM Addons for Elementor – Starter Templates & Widgets installed; if it is version 1.3.2 or earlier, plan to upgrade to a patched version as soon as it becomes available. 2. Until a patch is released, consider disabling or restricting access to the vulnerable AJAX endpoint 'ajax_post_grid_load_more' via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 3. Limit exposure of sensitive draft or scheduled posts by reviewing content publishing workflows and minimizing sensitive information stored in unpublished posts. 4. Implement monitoring and alerting for unusual or repeated requests to the vulnerable AJAX endpoint to detect potential exploitation attempts. 5. Employ principle of least privilege for WordPress user roles and capabilities to reduce risk from other potential vulnerabilities. 6. Regularly audit installed plugins and themes for vulnerabilities and maintain timely updates. 7. Educate content creators and administrators about the risks of storing sensitive information in draft posts accessible via plugins. 8. Consider deploying security plugins that can detect and block unauthorized access attempts to AJAX endpoints.