GCVE - cpe:2.3:a:bdthemes:ultimate_store_kit:*:*:*:*:free:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:bdthemes:ultimate_store_kit:*:*:*:*:free:wordpress:*:*

part: a version: * update: *

Vendor	Bdthemes (`5429b37a-0acd-5ad1-805d-fa178e11cdda`)
Product	Ultimate Store Kit (`6a4b1767-cda0-5270-8110-266ff2ea89e8`)
Edition	*
Language	*
Software edition	free
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-2168`	vulnerable	2026-06-03 15:00:16.308972	Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.4.1 - Cross-Site Request Forgery to Limited User Meta Update MEDIUM (4.3) The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: 2025-05-01T03:23:39.967Z Updated: 2026-04-08T17:13:05.197Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/a48634d7-30c9-4124-87dd-93a303a969eb?source=cve https://plugins.trac.wordpress.org/browser/ultimate-store-kit/tags/2.3.6/admin/admin-notice.php#L43 https://plugins.trac.wordpress.org/changeset/3283438/ultimate-store-kit/trunk/admin/admin-notice.php https://plugins.trac.wordpress.org/changeset/3255125/ultimate-store-kit/trunk/admin/admin-notice.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-8030`	vulnerable	2026-06-03 14:58:07.954893	Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.0.3 - Unauthenticated PHP Object Injection CRITICAL (9.8) The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_wishlist cookie in versions up to , and including, 2.0.3. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. Published: 2024-08-28T02:05:47.143Z Updated: 2026-04-08T17:31:56.985Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/ef566dca-91ed-4929-b36b-4e424e07e1d4?source=cve https://plugins.trac.wordpress.org/changeset/3141022/ultimate-store-kit/trunk/includes/helper.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-5335`	vulnerable	2026-06-03 14:57:52.414134	Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 1.6.4 - Unauthenticated PHP Object Injection CRITICAL (9.8) The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_compare_products cookie in versions up to , and including, 1.6.4. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. Published: 2024-08-21T08:29:14.736Z Updated: 2026-04-08T16:43:35.145Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/2ae44bcb-6149-4661-8890-23c867e9a918?source=cve https://plugins.trac.wordpress.org/browser/ultimate-store-kit/trunk/includes/helper.php#L1103 https://plugins.trac.wordpress.org/changeset/3135472/ultimate-store-kit/trunk/includes/helper.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-43342`	vulnerable	2026-06-03 14:56:45.029673	WordPress Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability MEDIUM (6.5) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BdThemes Ultimate Store Kit Elementor Addons allows Stored XSS.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.4. Published: 2024-08-18T13:22:30.283Z Updated: 2026-04-28T16:10:13.107Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/ultimate-store-kit/wordpress-ultimate-store-kit-elementor-addons-woocommerce-builder-edd-builder-elementor-store-builder-product-grid-product-table-woocommerce-slider-plugin-1-6-4-cross-site-scripting-xss-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Ultimate Store Kit

PURL mappings

Vulnerability references

Contribute