CVE-2024-5335
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform PHP object injection via a manipulated cookie in the Ultimate Store Kit plugin suite for WordPress. Attackers can execute arbitrary code, delete files, or steal data if a suitable POP chain exists from other installed plugins/themes. All WordPress sites using affected plugin versions are at risk.
💻 Affected Systems
- Ultimate Store Kit Elementor Addons
- Woocommerce Builder
- EDD Builder
- Elementor Store Builder
- Product Grid
- Product Table
- Woocommerce Slider
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, and server takeover if a POP chain exists in the environment.
Likely Case
Denial of service, file deletion, or data exposure depending on available POP chains from other installed components.
If Mitigated
Limited impact to availability if no compatible POP chains exist, though injection still occurs.
🎯 Exploit Status
Exploitation requires crafting malicious serialized PHP objects and identifying available POP chains in the target environment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.6.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3135472/ultimate-store-kit/trunk/includes/helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Ultimate Store Kit plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Cookie Validation Filter
allAdd input validation for the _ultimate_store_kit_compare_products cookie to reject serialized objects
Add to theme's functions.php or custom plugin: add_filter('init', function() { if(isset($_COOKIE['_ultimate_store_kit_compare_products']) && preg_match('/^[O]:\d+:"/', $_COOKIE['_ultimate_store_kit_compare_products'])) { unset($_COOKIE['_ultimate_store_kit_compare_products']); } });
🧯 If You Can't Patch
- Disable or remove the Ultimate Store Kit plugin immediately
- Implement web application firewall rules to block requests containing serialized PHP objects in cookies
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Ultimate Store Kit version. If version is 1.6.4 or lower, system is vulnerable.Check Version:
wp plugin list --name="ultimate-store-kit" --field=versionVerify Fix Applied:
Confirm plugin version is higher than 1.6.4 and check that line 1103 in includes/helper.php no longer contains unsafe unserialize() calls.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests with base64 or serialized data in cookies
- PHP warnings related to unserialize() in web server logs
- Unexpected file deletions or modifications
Network Indicators:
- HTTP requests containing 'O:' serialized object patterns in cookie headers
- Unusual traffic to wp-content/plugins/ultimate-store-kit/ paths
SIEM Query:
web.access_log: "_ultimate_store_kit_compare_products" AND (web.uri: "*O:*" OR web.cookie: "*O:*")