Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.
AnalysisAI
A missing authorization vulnerability exists in bdthemes Ultimate Post Kit WordPress plugin through version 4.0.21, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control security levels. An attacker can leverage this vulnerability to perform unauthorized actions that should be restricted to authenticated or privileged users. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the vulnerability is classified under CWE-862 (Missing Authorization) and has been documented by Patchstack, indicating active research and potential exploitation concern.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify that a user has proper authorization before allowing access to sensitive functionality or data. Ultimate Post Kit is a WordPress plugin (cpe:2.3:a:bdthemes:ultimate_post_kit:*:*:*:*:*:*:*:*) that extends WordPress post display capabilities through custom widgets and templates. The broken access control stems from inadequately implemented capability checks or role-based access control (RBAC) mechanisms within WordPress plugin functions, likely in AJAX handlers, REST API endpoints, or admin action callbacks. The plugin's lack of proper nonce validation and capability verification allows attackers to bypass WordPress's built-in permission checks (typically relying on current_user_can() function calls), directly exploiting the plugin's custom functionality without proper authentication context.
RemediationAI
Immediately upgrade Ultimate Post Kit to the latest available version beyond 4.0.21, which should include authorization security fixes. Users must verify that patched versions are available from the bdthemes official repository or WordPress.org plugin directory before patching. In the interim, if a patch is unavailable or delayed, restrict plugin access by disabling the Ultimate Post Kit plugin entirely, reverting to alternative post display solutions, or enforcing strict network-level access controls to limit exposure to trusted administrator IP ranges only. Additionally, conduct a security audit of any custom Post Kit functionality to ensure WordPress capability checks (current_user_can() calls) and nonce verification are properly implemented on all user-facing actions and AJAX endpoints. Review user roles and capabilities to ensure least-privilege access is enforced. Monitor the Patchstack database and bdthemes official channels for patch release announcements and apply updates as soon as available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15557