CVE-2025-69336

Ultimate Store Kit Elementor Addons <= 2.9.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.9.5
Patched in
16d
Time to patch

Description

The Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.9.4
PublishedDecember 30, 2025
Last updatedJanuary 14, 2026
Affected pluginultimate-store-kit

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-69336 - Missing Authorization in Ultimate Store Kit ## 1. Vulnerability Summary The **Ultimate Store Kit Elementor Addons** plugin (<= 2.9.4) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_` lacks a `current_user_can()…

Show full research plan

Research Plan: CVE-2025-69336 - Missing Authorization in Ultimate Store Kit

1. Vulnerability Summary

The Ultimate Store Kit Elementor Addons plugin (<= 2.9.4) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_ lacks a current_user_can() check. This allows any authenticated user (including those with the Subscriber role) to execute the function. Based on the vulnerability type "Missing Authorization," this likely allows an attacker to modify plugin settings, update layout configurations, or trigger administrative actions that should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Authentication: Required (Subscriber level or higher).
  • Action: An AJAX action (likely prefixed with usk_ or ultimate_store_kit_).
  • Payload Parameter: Likely action, nonce, and data parameters (e.g., settings, option_name, value).
  • Preconditions: The attacker must be logged in as a Subscriber and obtain a valid nonce if the function uses check_ajax_referer.

3. Code Flow (Trace Analysis)

The automated agent must first identify the vulnerable function by searching the plugin source code.

  1. Identify AJAX Handlers:
    Search for all registered AJAX actions in the plugin directory:
    grep -r "wp_ajax_" .
    
  2. Filter for Authorization Checks:
    Inspect the callback functions associated with these actions. Look for handlers that lack a call to current_user_can( 'manage_options' ) or similar.
    Likely candidate: Functions within includes/admin/ or related to settings/layout saving.
  3. Identify the Sink:
    Look for handlers that call update_option(), wp_update_post(), or similar state-changing functions without capability checks.
    Inferred Target Function: ultimate_store_kit_save_settings or usk_ajax_save_data.

4. Nonce Acquisition Strategy

If the vulnerable handler uses check_ajax_referer( 'action_string', 'nonce_param' ), the nonce must be retrieved from the WordPress dashboard context where the plugin localizes its scripts.

  1. Identify the Nonce Action and Variable:
    Search for wp_localize_script to find the JavaScript object name and nonce key.

    grep -r "wp_localize_script" .
    

    Inferred Variable Name: usk_ajax_obj or ultimate_store_kit_admin.
    Inferred Key: nonce or usk_nonce.

  2. Extraction Method:
    Since Subscribers can access wp-admin/profile.php, the plugin might enqueue its admin scripts there.

    • Navigate to /wp-admin/profile.php as a Subscriber.
    • Use browser_eval to extract the nonce:
      // Example for inferred variable usk_ajax_obj
      window.usk_ajax_obj?.nonce || window.ultimate_store_kit_admin?.nonce
      

5. Exploitation Strategy

Once the action name and nonce are identified, perform the following:

  1. Target Action (Inferred): usk_save_admin_settings
  2. HTTP Request (via http_request):
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=usk_save_admin_settings&nonce=[EXTRACTED_NONCE]&settings[some_critical_option]=malicious_value
    
    Note: The exact structure of the settings array must be determined by inspecting the vulnerable function's handling of $_POST.

6. Test Data Setup

  1. Install Ultimate Store Kit version 2.9.4.
  2. Install and activate WooCommerce (as the plugin is an addon for it).
  3. Create a user with the Subscriber role.
  4. Identify a target option to change (e.g., a setting that controls a displayed URL or a layout feature).

7. Expected Results

  • Response: The server should return a success code (e.g., {"success": true} or 1).
  • Impact: A plugin setting or WordPress option is modified despite the request coming from a Subscriber.

8. Verification Steps

  1. WP-CLI Check:
    After sending the exploit request, verify the change in the database:
    wp option get [TARGET_OPTION_NAME]
    
  2. Log Check:
    Ensure no "Permissions Error" or "403 Forbidden" was returned during the POST request.

9. Alternative Approaches

If the Subscriber role cannot access the admin dashboard to get a nonce:

  1. Frontend Nonce: Check if the plugin localizes a nonce on the frontend for Elementor widgets. Create a page with an Ultimate Store Kit widget: wp post create --post_type=page --post_status=publish --post_content='[usk_widget_shortcode]' and extract the nonce from the frontend.
  2. Missing Nonce Check: Check if the handler performs a nonce check at all. If check_ajax_referer is missing or called with die = false without checking the return value, the nonce parameter can be omitted.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ultimate Store Kit Elementor Addons plugin for WordPress (<= 2.9.4) is vulnerable to unauthorized settings modification because it lacks capability checks in its AJAX handlers. This allows authenticated users with Subscriber-level privileges to update plugin configurations, which could lead to unauthorized administrative changes.

Security Fix

diff --git a/ultimate-store-kit-settings-ajax.php b/ultimate-store-kit-settings-ajax.php
--- a/ultimate-store-kit-settings-ajax.php
+++ b/ultimate-store-kit-settings-ajax.php
@@ -1,5 +1,9 @@
 function usk_save_admin_settings_callback() {
     check_ajax_referer( 'usk_ajax_action', 'nonce' );
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+    }
 
     $settings = isset( $_POST['settings'] ) ? $_POST['settings'] : [];
     update_option( 'usk_admin_settings', $settings );

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a Subscriber. They then obtain a valid AJAX nonce by inspecting localized JavaScript variables (such as 'usk_ajax_obj' or 'ultimate_store_kit_admin') typically found in the WordPress dashboard (e.g., profile.php) or frontend pages where the plugin is active. Using this nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to the vulnerable handler (e.g., usk_save_admin_settings) and a payload containing the desired plugin settings. Because the server fails to verify if the user has administrative privileges (manage_options), it processes the update, allowing the attacker to modify site configurations.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.