Skip to main content

Ultimate Post Kit CVE-2026-24362

| EUVDEUVD-2026-15557 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15557
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.4

DescriptionCVE.org

Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.

AnalysisAI

A missing authorization vulnerability exists in bdthemes Ultimate Post Kit WordPress plugin through version 4.0.21, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control security levels. An attacker can leverage this vulnerability to perform unauthorized actions that should be restricted to authenticated or privileged users. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the vulnerability is classified under CWE-862 (Missing Authorization) and has been documented by Patchstack, indicating active research and potential exploitation concern.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify that a user has proper authorization before allowing access to sensitive functionality or data. Ultimate Post Kit is a WordPress plugin (cpe:2.3:a:bdthemes:ultimate_post_kit:*:*:*:*:*:*:*:*) that extends WordPress post display capabilities through custom widgets and templates. The broken access control stems from inadequately implemented capability checks or role-based access control (RBAC) mechanisms within WordPress plugin functions, likely in AJAX handlers, REST API endpoints, or admin action callbacks. The plugin's lack of proper nonce validation and capability verification allows attackers to bypass WordPress's built-in permission checks (typically relying on current_user_can() function calls), directly exploiting the plugin's custom functionality without proper authentication context.

RemediationAI

Immediately upgrade Ultimate Post Kit to the latest available version beyond 4.0.21, which should include authorization security fixes. Users must verify that patched versions are available from the bdthemes official repository or WordPress.org plugin directory before patching. In the interim, if a patch is unavailable or delayed, restrict plugin access by disabling the Ultimate Post Kit plugin entirely, reverting to alternative post display solutions, or enforcing strict network-level access controls to limit exposure to trusted administrator IP ranges only. Additionally, conduct a security audit of any custom Post Kit functionality to ensure WordPress capability checks (current_user_can() calls) and nonce verification are properly implemented on all user-facing actions and AJAX endpoints. Review user roles and capabilities to ensure least-privilege access is enforced. Monitor the Patchstack database and bdthemes official channels for patch release announcements and apply updates as soon as available.

Share

CVE-2026-24362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy