CVE-2024-8030
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform PHP object injection via deserialization of untrusted input in the Ultimate Store Kit plugin suite for WordPress. Attackers can potentially execute arbitrary code, delete files, or access sensitive data if a POP chain exists through other installed plugins or themes. All WordPress sites using affected plugin versions are vulnerable.
💻 Affected Systems
- Ultimate Store Kit Elementor Addons
- Woocommerce Builder
- EDD Builder
- Elementor Store Builder
- Product Grid
- Product Table
- Woocommerce Slider
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or site defacement if a POP chain exists in other installed components
Likely Case
Denial of service, file deletion, or data exposure through available POP chains in common WordPress plugins/themes
If Mitigated
Limited impact to plugin functionality with no code execution due to lack of POP chain in the vulnerable plugin alone
🎯 Exploit Status
No authentication required. Exploitation requires crafting malicious cookie values. Impact depends on availability of POP chains from other installed plugins/themes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3141022/ultimate-store-kit/trunk/includes/helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Ultimate Store Kit plugin suite
4. Click 'Update Now' if available
5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository
🔧 Temporary Workarounds
Cookie Validation Filter
allAdd input validation for the _ultimate_store_kit_wishlist cookie
Add to WordPress theme functions.php or custom plugin:
add_filter('init', function() {
if (isset($_COOKIE['_ultimate_store_kit_wishlist'])) {
$data = $_COOKIE['_ultimate_store_kit_wishlist'];
if (!is_string($data) || !preg_match('/^[a-zA-Z0-9\/+=]+$/', $data)) {
unset($_COOKIE['_ultimate_store_kit_wishlist']);
}
}
});
🧯 If You Can't Patch
- Immediately deactivate and remove all Ultimate Store Kit plugins
- Implement WAF rules to block requests containing _ultimate_store_kit_wishlist cookie with serialized data patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Ultimate Store Kit plugins with version ≤ 2.0.3Check Version:
wp plugin list --name="*ultimate*store*kit*" --field=versionVerify Fix Applied:
Verify plugin version is > 2.0.3 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual PHP errors related to unserialize()
- Multiple failed unserialization attempts
- Requests with malformed _ultimate_store_kit_wishlist cookie values
Network Indicators:
- HTTP requests with specially crafted _ultimate_store_kit_wishlist cookies
- Unusual POST requests to WordPress admin-ajax.php
SIEM Query:
web.access_log | where url contains "admin-ajax.php" and cookie contains "_ultimate_store_kit_wishlist" and cookie matches /[^a-zA-Z0-9\/+=]/