Ultimate Post Kit Addons for Elementor WordPress Plugin Unauthenticated Arbitrary Post Content Disclosure Vulnerability

A vulnerability exists in the Ultimate Post Kit Addons for Elementor WordPress plugin in versions prior to 4.0.16. The plugin exposes several AJAX 'load more' endpoints, such as 'upk_alex_grid_loadmore_posts', without verifying that the posts being requested are published. This oversight allows an unauthenticated attacker to query any post and access the rendered HTML of private or unpublished content.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private and unpublished post content, which could be misused for various purposes, such as information gathering or content manipulation.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'upk_alex_grid_loadmore_posts'. Include parameters such as 'per_page' to specify the number of posts to retrieve, 'offset' to indicate the starting point for the query, and 'settings[posts_source]' set to 'post' to target regular posts. This request can be made using a tool like curl, and the response will include the HTML content of the queried posts, regardless of their publication status.

Remediation

Users are advised to update the Ultimate Post Kit Addons for Elementor WordPress plugin to version 4.0.16 or later.