Ultimate Store Kit WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress, affecting all versions through 2.4.1. The vulnerability arises from inadequate nonce validation in the dismiss() function, allowing unauthenticated attackers to manipulate user meta values. This could potentially lock an administrator out of their site by sending a forged request, provided the attacker can persuade the admin to click a link.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, enabling attackers to manipulate user meta data and potentially lock administrators out of their WordPress sites.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the WordPress site that includes the 'id' of a notice they want to dismiss, along with a 'meta' value set to 'user'. The request must be made without a valid nonce, bypassing the missing or incorrect nonce validation. If successful, the user meta value associated with the notice ID will be updated, which can be used to lock an administrator out of their account.

Remediation

Users are advised to update the Ultimate Store Kit WordPress plugin to version 2.5.0 or later.