Cross-Site Request Forgery Vulnerability in Ultimate Store Kit for WordPress
CVE-2025-2168
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 1 May 2025
What is CVE-2025-2168?
The Ultimate Store Kit Elementor Addons for WordPress is vulnerable to a Cross-Site Request Forgery due to missing or incorrect nonce validation on its dismiss() function. An unauthenticated attacker can exploit this weakness to manipulate user meta values, potentially locking an administrator out of their account. This occurs when the attacker successfully tricks the site administrator into clicking a crafted link, leading to unauthorized actions on the site.
Affected Version(s)
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder * <= 2.4.1