WordPress Plugin Vulnerabilities

Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider < 2.3.1 - Missing Authorization

Description

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
ultimate-store-kit
Fixed in 2.3.1

References

CVE
CVE-2025-24584
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5ba00f-f5ec-42d9-8f30-9ce30a94fb0d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
93bd610f-a1da-4d9f-ac68-1bdcd475a72e

Timeline

Publicly Published
2024-12-19 (about 1 year ago)
Added
2025-02-19 (about 1 year ago)
Last Updated
2025-02-19 (about 1 year ago)

Other

Published
Title
Published
2024-10-24
Title
Templately < 3.1.6 - Missing Authorization via AJAX actions
Published
2024-06-03
Title
Admin Notices Manager < 1.5.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Published
2025-03-07
Title
Shortcode Cleaner Lite <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export
Published
2024-03-28
Title
Sliced Invoices < 3.9.3 - Missing Authorization
Published
2024-12-14
Title
Ksher < 1.1.2 - Missing Authorization