Ultimate Store Kit Elementor Addons <= 2.9.4 - Missing Authorization
Description
The Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.9.4Source Code
WordPress.org SVN# Research Plan: CVE-2025-69336 - Missing Authorization in Ultimate Store Kit ## 1. Vulnerability Summary The **Ultimate Store Kit Elementor Addons** plugin (<= 2.9.4) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_` lacks a `current_user_can()…
Show full research plan
Research Plan: CVE-2025-69336 - Missing Authorization in Ultimate Store Kit
1. Vulnerability Summary
The Ultimate Store Kit Elementor Addons plugin (<= 2.9.4) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_ lacks a current_user_can() check. This allows any authenticated user (including those with the Subscriber role) to execute the function. Based on the vulnerability type "Missing Authorization," this likely allows an attacker to modify plugin settings, update layout configurations, or trigger administrative actions that should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Authentication: Required (Subscriber level or higher).
- Action: An AJAX action (likely prefixed with
usk_orultimate_store_kit_). - Payload Parameter: Likely
action,nonce, and data parameters (e.g.,settings,option_name,value). - Preconditions: The attacker must be logged in as a Subscriber and obtain a valid nonce if the function uses
check_ajax_referer.
3. Code Flow (Trace Analysis)
The automated agent must first identify the vulnerable function by searching the plugin source code.
- Identify AJAX Handlers:
Search for all registered AJAX actions in the plugin directory:grep -r "wp_ajax_" . - Filter for Authorization Checks:
Inspect the callback functions associated with these actions. Look for handlers that lack a call tocurrent_user_can( 'manage_options' )or similar.
Likely candidate: Functions withinincludes/admin/or related to settings/layout saving. - Identify the Sink:
Look for handlers that callupdate_option(),wp_update_post(), or similar state-changing functions without capability checks.
Inferred Target Function:ultimate_store_kit_save_settingsorusk_ajax_save_data.
4. Nonce Acquisition Strategy
If the vulnerable handler uses check_ajax_referer( 'action_string', 'nonce_param' ), the nonce must be retrieved from the WordPress dashboard context where the plugin localizes its scripts.
Identify the Nonce Action and Variable:
Search forwp_localize_scriptto find the JavaScript object name and nonce key.grep -r "wp_localize_script" .Inferred Variable Name:
usk_ajax_objorultimate_store_kit_admin.
Inferred Key:nonceorusk_nonce.Extraction Method:
Since Subscribers can accesswp-admin/profile.php, the plugin might enqueue its admin scripts there.- Navigate to
/wp-admin/profile.phpas a Subscriber. - Use
browser_evalto extract the nonce:// Example for inferred variable usk_ajax_obj window.usk_ajax_obj?.nonce || window.ultimate_store_kit_admin?.nonce
- Navigate to
5. Exploitation Strategy
Once the action name and nonce are identified, perform the following:
- Target Action (Inferred):
usk_save_admin_settings - HTTP Request (via
http_request):
Note: The exact structure of thePOST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=usk_save_admin_settings&nonce=[EXTRACTED_NONCE]&settings[some_critical_option]=malicious_valuesettingsarray must be determined by inspecting the vulnerable function's handling of$_POST.
6. Test Data Setup
- Install Ultimate Store Kit version 2.9.4.
- Install and activate WooCommerce (as the plugin is an addon for it).
- Create a user with the Subscriber role.
- Identify a target option to change (e.g., a setting that controls a displayed URL or a layout feature).
7. Expected Results
- Response: The server should return a success code (e.g.,
{"success": true}or1). - Impact: A plugin setting or WordPress option is modified despite the request coming from a Subscriber.
8. Verification Steps
- WP-CLI Check:
After sending the exploit request, verify the change in the database:wp option get [TARGET_OPTION_NAME] - Log Check:
Ensure no "Permissions Error" or "403 Forbidden" was returned during the POST request.
9. Alternative Approaches
If the Subscriber role cannot access the admin dashboard to get a nonce:
- Frontend Nonce: Check if the plugin localizes a nonce on the frontend for Elementor widgets. Create a page with an Ultimate Store Kit widget:
wp post create --post_type=page --post_status=publish --post_content='[usk_widget_shortcode]'and extract the nonce from the frontend. - Missing Nonce Check: Check if the handler performs a nonce check at all. If
check_ajax_refereris missing or called withdie = falsewithout checking the return value, the nonce parameter can be omitted.
Summary
The Ultimate Store Kit Elementor Addons plugin for WordPress (<= 2.9.4) is vulnerable to unauthorized settings modification because it lacks capability checks in its AJAX handlers. This allows authenticated users with Subscriber-level privileges to update plugin configurations, which could lead to unauthorized administrative changes.
Security Fix
@@ -1,5 +1,9 @@ function usk_save_admin_settings_callback() { check_ajax_referer( 'usk_ajax_action', 'nonce' ); + + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 ); + } $settings = isset( $_POST['settings'] ) ? $_POST['settings'] : []; update_option( 'usk_admin_settings', $settings );
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate as a Subscriber. They then obtain a valid AJAX nonce by inspecting localized JavaScript variables (such as 'usk_ajax_obj' or 'ultimate_store_kit_admin') typically found in the WordPress dashboard (e.g., profile.php) or frontend pages where the plugin is active. Using this nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to the vulnerable handler (e.g., usk_save_admin_settings) and a payload containing the desired plugin settings. Because the server fails to verify if the user has administrative privileges (manage_options), it processes the update, allowing the attacker to modify site configurations.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.