Description
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-05-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized administrative lockout via CSRF
Action: Patch
AI Analysis

Impact

The flaw is a cross‑site request forgery vulnerability caused by missing or incorrect nonce validation in the dismiss() function of the Ultimate Store Kit plugin. An attacker who can persuade a logged‑in administrator to visit a crafted link can cause the plugin to write arbitrary user‑meta values, typically setting them to “1”, which may lock the administrator account and prevent legitimate access to the site. While the flaw does not provide code execution or direct data theft, it enables a denial of service against a privileged account and can disrupt site administration.

Affected Systems

All WordPress sites running the BDThemes Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor plugin version 2.4.1 or earlier are affected. The plugin is released under the free WordPress tier and can be identified by its name and vendor.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1 % suggests a very low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation requires an authenticated administrator to click a malicious link, so successful attacks depend on social engineering rather than automated scanning. The CSRF vector can be triggered from any external page, making the vulnerability network‑based but not locally privileged.

Generated by OpenCVE AI on April 22, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Store Kit plugin to version 2.4.2 or later, which includes proper nonce validation for the dismiss() function.
  • If an immediate update is not possible, temporarily disable or uninstall the plugin until a patch is released to remove the attack surface.
  • Monitor site administrators for unexpected changes to user meta values and verify that the dismiss() function does not allow arbitrary updates; investigate any unauthorized lockout events and reset affected accounts.

Generated by OpenCVE AI on April 22, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15116 The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 12 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes ultimate Store Kit
CPEs cpe:2.3:a:bdthemes:ultimate_store_kit:*:*:*:*:free:wordpress:*:*
Vendors & Products Bdthemes
Bdthemes ultimate Store Kit

Thu, 01 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 01 May 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.4.1 - Cross-Site Request Forgery to Limited User Meta Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Bdthemes Ultimate Store Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:05.197Z

Reserved: 2025-03-10T14:05:43.035Z

Link: CVE-2025-2168

cve-icon Vulnrichment

Updated: 2025-05-01T13:21:19.914Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T04:16:53.127

Modified: 2025-05-12T19:38:07.983

Link: CVE-2025-2168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses