CVE-2024-5335

Name of the Vulnerable Software and Affected Versions Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin versions up to 1.6.4

Description The issue concerns PHP Object Injection via deserialization of untrusted input through the ultimate store kit compare products cookie. This allows an unauthenticated attacker to inject a PHP object. No POP chain is present in the vulnerable plugin, but if one is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to 1.6.4, update to a version higher than 1.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the ultimate store kit compare products cookie to minimize the risk of exploitation.