关键信息 漏洞标题 Ultimate Post Kit < 4.0.16 - Unauthenticated Arbitrary Post Content Disclosure 描述 插件暴露了多个 AJAX "load more" 端点,如 upk_alex_grid_loadmore_posts,没有确保显示的帖子经过身份验证。这允许未经授权的攻击者查询任意帖子并检索私人和未发布帖子的渲染 HTML 内容。 影响的插件 Ultimate Post Kit CVE CVE-2025-14434 分类 类型: NO AUTHORISATION OWASP Top 10: A5: Broken Access Control CWE: CWE-862 CVSS: 5.3 (medium) 其他信息 研究员: Drtime 提交者: Drtime 提交者网站: https://t.me/drtime_02111 已验证: Yes WPVDB ID: bf3c3193-fc9c-454b-ad4f-94ba1669a312 时间线 公开发布: 2025-12-10 添加日期: 2025-12-10 最后更新: 2025-12-10 其他漏洞 2024-12-12: AR for WordPress < 7.4 - Missing Authorization to Unauthenticated Limited File Upload 2025-04-01: Bulk Fields Editor <= 1.8.0 - Missing Authorization 2025-01-16: Donate visa <= 1.0.0 - Missing Authorization 2025-06-27: WP DB Booster <= 1.0.1 - Missing Authorization 2024-03-04: SportsPress - Sports Club & League Manager < 2.7.18 - Missing Authorization to Unauthenticated Event Permalink Update