Description
Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4.
Published: 2026-01-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access and Modification
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Ultimate Store Kit Elementor Addons plugin version 2.9.4 and earlier, allowing an attacker to access or modify store configuration data due to incorrectly configured access control settings. This flaw is classified as CWE‑862. The primary impact is that an attacker could obtain or alter administrative settings, potentially compromising the integrity of the e‑commerce store and exposing sensitive configuration data.

Affected Systems

The affected product is the bdthemes Ultimate Store Kit Elementor Addons plugin for WordPress, versions up to and including 2.9.4.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve remote exploitation through web‑based plugin endpoints; an attacker could exploit the flaw by interacting with the plugin’s exposed interfaces to gain unauthorized access or modify store settings.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Store Kit Elementor Addons plugin to a version later than 2.9.4.
  • Review and enforce correct role‑based access controls for all plugin functions to ensure only authorized users can manage store settings.
  • If an upgrade is not immediately possible, isolate or disable vulnerable plugin endpoints and restrict access to those URLs via access control rules or server configuration changes.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes utlimate Store Kit Elementor Addons
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes utlimate Store Kit Elementor Addons
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4.
Title WordPress Ultimate Store Kit Elementor Addons plugin <= 2.9.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Bdthemes Utlimate Store Kit Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:53:47.170Z

Reserved: 2025-12-31T20:12:23.433Z

Link: CVE-2025-69336

cve-icon Vulnrichment

Updated: 2026-01-06T16:58:33.056Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:46.463

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses