{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24362", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.201Z", "dateUpdated": "2026-03-27T17:52:13.322Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ultimate-post-kit", "product": "Ultimate Post Kit", "vendor": "bdthemes", "versions": [{"changes": [{"at": "4.0.22", "status": "unaffected"}], "lessThanOrEqual": "<= 4.0.21", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.431Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.</p>"}], "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post-kit/vulnerability/wordpress-ultimate-post-kit-plugin-4-0-21-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ultimate Post Kit plugin <= 4.0.21 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T17:51:54.294893Z", "id": "CVE-2026-24362", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T17:52:13.322Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24362", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.201Z", "dateUpdated": "2026-03-27T17:52:13.322Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ultimate-post-kit", "product": "Ultimate Post Kit", "vendor": "bdthemes", "versions": [{"changes": [{"at": "4.0.22", "status": "unaffected"}], "lessThanOrEqual": "<= 4.0.21", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.431Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.</p>"}], "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post-kit/vulnerability/wordpress-ultimate-post-kit-plugin-4-0-21-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ultimate Post Kit plugin <= 4.0.21 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T17:51:54.294893Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T17:51:09.874Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en bdthemes Ultimate Post Kit ultimate-post-kit permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Ultimate Post Kit: desde n/a hasta &lt;= 4.0.21."}], "id": "CVE-2026-24362", "lastModified": "2026-03-27T18:16:04.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.977", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post-kit/vulnerability/wordpress-ultimate-post-kit-plugin-4-0-21-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.21]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.0.22,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ultimate_post_kit", "vendor": "bdthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T19:27:54.724894+00:00", "value": {"mitigation_remediation": ["Update the Ultimate Post Kit plugin to a version newer than 4.0.21.", "Verify that the plugin\u2019s access control settings enforce the least\u2011privilege model for all user roles.", "Monitor user activity and access logs for unexpected requests involving plugin functionality."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "bdthemes Ultimate Post Kit plugin is affected, specifically all releases up to and including version 4.0.21. The issue arises from incorrect configuration of the plugin\u2019s security levels, which have been left at default or overly permissive settings. WordPress administrators should verify that only trusted accounts have the necessary rights to use the plugin\u2019s features.", "description_and_impact": "Missing Authorization in the Ultimate Post Kit plugin allows attackers to perform actions beyond their intended privileges. This is a classic access control weakness (CWE\u2011862) that can result in unauthorized data exposure or manipulation. It does not directly grant code execution but enables privileged operations that may compromise the integrity and availability of the WordPress site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1 percent suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning there is no known active exploitation in the wild. Attackers appear to be able to exploit incorrectly configured access control levels, likely through the WordPress administrative interface or plugin\u2011exposed endpoints, though the exact mechanics are not detailed in the description. Based on the description it is inferred that an attacker with limited rights could use the plugin\u2019s capabilities to perform higher\u2011privilege operations, potentially escalating privileges or bypassing restrictions."}}}}, "created": "2026-03-25T21:34:52.710383+00:00", "updated": "2026-03-27T20:26:30.793721+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$ultimate_post_kit", "wordpress", "wordpress$PRODUCT$wordpress"]}