CVE-2024-5335 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the bdthemes Ultimate Store Kit Elementor Addons and associated plugins including Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, and Woocommerce Slider. The flaw exists in versions up to and including 1.6.4 and is triggered by unsafe deserialization of data from the _ultimate_store_kit_compare_products cookie. This cookie accepts serialized PHP objects from unauthenticated users, enabling PHP Object Injection. Although the vulnerable plugin itself does not contain a gadget chain (a sequence of code enabling exploitation), if other plugins or themes installed on the same WordPress instance provide such chains, attackers can leverage this vulnerability to perform destructive actions such as arbitrary file deletion, sensitive data disclosure, or remote code execution. The vulnerability is remotely exploitable over the network without any authentication or user interaction, contributing to its high CVSS score of 9.8. The vulnerability was published on August 21, 2024, and no public exploits have been observed yet. The risk is compounded by the widespread use of these plugins in e-commerce WordPress sites, making them attractive targets for attackers seeking to compromise online stores or steal customer data.

The impact of CVE-2024-5335 is severe for organizations using the affected bdthemes plugins, especially those running e-commerce websites on WordPress. Successful exploitation can lead to full system compromise, including arbitrary code execution, data theft, and deletion of critical files, potentially resulting in website defacement, downtime, loss of customer trust, and financial damage. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. This increases the risk of automated mass exploitation campaigns. Organizations relying on these plugins for online sales or digital product delivery may face significant operational disruption and regulatory consequences if customer data is exposed. The lack of an internal gadget chain means exploitation depends on the presence of other vulnerable plugins or themes, but given the common practice of using multiple plugins, the attack surface is broad. Overall, the vulnerability poses a critical threat to the confidentiality, integrity, and availability of affected systems worldwide.

1. Immediate upgrade: Organizations should check for and apply any available updates or patches from bdthemes addressing this vulnerability. If no patch is available, consider temporarily disabling the affected plugins. 2. Input validation and sanitization: Implement web application firewall (WAF) rules to block or sanitize requests containing the _ultimate_store_kit_compare_products cookie with suspicious serialized data. 3. Plugin audit: Review all installed plugins and themes for known gadget chains that could be exploited in conjunction with this vulnerability; remove or update vulnerable components. 4. Restrict cookie manipulation: Use security plugins or server configurations to restrict or validate cookie values to prevent injection of serialized objects. 5. Monitor logs: Enable detailed logging and monitor for unusual requests targeting the vulnerable cookie or signs of exploitation attempts. 6. Harden WordPress environment: Limit plugin installations to trusted sources, enforce least privilege principles, and isolate critical components to reduce attack surface. 7. Backup and recovery: Maintain recent backups and test recovery procedures to mitigate damage in case of successful exploitation. 8. Incident response readiness: Prepare to respond quickly to any signs of compromise related to this vulnerability.