← back
CVE-2025-14434

Ultimate Post Kit < 4.0.16 – Unauthenticated Arbitrary Post Content Disclosure

CVSS 5.3 MEDIUMEPSS 0.2%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
31 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →