{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24362", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.201Z", "dateUpdated": "2026-03-25T16:14:31.201Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ultimate-post-kit", "product": "Ultimate Post Kit", "vendor": "bdthemes", "versions": [{"changes": [{"at": "4.0.22", "status": "unaffected"}], "lessThanOrEqual": "<= 4.0.21", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.431Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.</p>"}], "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post-kit/vulnerability/wordpress-ultimate-post-kit-plugin-4-0-21-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ultimate Post Kit plugin <= 4.0.21 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21."}], "id": "CVE-2026-24362", "lastModified": "2026-03-25T17:16:36.977", "metrics": {}, "published": "2026-03-25T17:16:36.977", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post-kit/vulnerability/wordpress-ultimate-post-kit-plugin-4-0-21-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.21]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.0.22,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ultimate_post_kit", "vendor": "bdthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:45:01.045918+00:00", "value": {"mitigation_remediation": ["Update Ultimate Post Kit to version 4.0.22 or later. ", "Restrict access to the plugin\u2019s administrative URLs using server\u2011side access controls such as .htaccess or firewall rules. ", "Review WordPress role and capability settings to ensure that only authorized users can access post\u2011creation and management functions. ", "If an upgrade cannot be performed immediately, disable or remove any unused or deprecated features of the plugin that could be exploited."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access and Privilege Escalation via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of bdthemes Ultimate Post Kit on WordPress that are using version 4.0.21 or earlier. Any site that has the plugin deployed at these versions is susceptible, regardless of the underlying WordPress core version.", "description_and_impact": "A missing authorization check in the Ultimate Post Kit plugin allows an attacker to bypass configured security levels and perform actions that should be restricted to privileged users. This can lead to unauthorized creation, modification, or deletion of posts and core plugin settings, effectively compromising site integrity and potentially enabling further exploitation. The weakness is classified as a broken access control issue.", "risk_and_exploitability": "As a broken access control flaw, the risk is high, particularly because the plugin exposes administrative interfaces accessible to all users when the check is absent. The lack of an access control check allows attackers to elevate privileges remotely through the site's HTTP interface. No EPSS score is provided, and the vulnerability has not been listed in CISA\u2019s KEV catalog, but the potential for immediate impact makes it a serious concern for vulnerable deployments."}}}}, "created": "2026-03-25T21:34:52.710383+00:00", "updated": "2026-03-26T11:40:06.668133+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$ultimate_post_kit", "wordpress", "wordpress$PRODUCT$wordpress"]}