The bug is a deserialization of untrusted data in the Ultimate Store Kit Elementor Addons plugin, identified as a CWE‑502 vulnerability. An attacker who can supply crafted serialized payloads to the plugin may trigger object injection, which can immediately lead to remote code execution and full compromise of the affected WordPress site. The flaw allows malicious code to run with the permissions of the WordPress installation, potentially exposing site data, defacing the site, or installing backdoors.

WordPress sites running the bdthemes Ultimate Store Kit Elementor Addons plugin, versions from the earliest available release through 2.4.0, are affected. The vulnerability exists in any installation that has not upgraded beyond 2.4.0. No other products by bdthemes are known to be impacted, and there are no specific sub‑components listed as affected.

The CVSS score is 9.8, indicating critical severity. The EPSS score is under 1 %, so active exploitation is believed to be rare, and the vulnerability is not listed in CISA’s KEV catalog. The most probable attack vector is the deserialization of untrusted data provided by the plugin, likely through crafted HTTP requests or user uploads that the plugin processes. Because the flaw permits arbitrary code execution, a successful exploit would give an attacker full control over the affected WordPress installation.