CVE-2025-2168 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the Ultimate Store Kit Elementor Addons plugin for WordPress, which integrates WooCommerce and Elementor functionalities. The vulnerability exists due to missing or improper nonce validation in the dismiss() function, a security mechanism intended to verify that requests originate from legitimate users. Because of this flaw, an unauthenticated attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), sets arbitrary user meta values to '1'. This manipulation can be leveraged to lock administrators out of their own WordPress sites, effectively denying them access and control. The vulnerability affects all versions up to and including 2.4.1 of the plugin. Exploitation requires no prior authentication but does require user interaction, such as clicking a specially crafted link. The CVSS 3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction needed. Although no known exploits are currently reported in the wild, the impact on site integrity and administrative control makes this a significant concern for affected WordPress sites, especially those relying heavily on this plugin for e-commerce and site-building capabilities.

The primary impact of this vulnerability is on the integrity of affected WordPress sites, as attackers can manipulate user meta values to lock out administrators. This administrative lockout can disrupt site management, delay incident response, and potentially lead to prolonged downtime or loss of control over critical e-commerce and content management functions. While confidentiality and availability are not directly compromised, the inability of administrators to access their sites can indirectly affect availability and business continuity. Organizations relying on the Ultimate Store Kit plugin for WooCommerce and Elementor-powered storefronts may face operational disruptions, reputational damage, and potential financial losses if attackers exploit this vulnerability. The requirement for user interaction limits the ease of exploitation but does not eliminate the risk, especially in environments where administrators may be targeted with phishing or social engineering attacks.

To mitigate this vulnerability, organizations should immediately update the Ultimate Store Kit Elementor Addons plugin to a patched version once available. In the absence of an official patch, administrators can implement the following specific measures: 1) Disable or restrict the dismiss() function or related AJAX endpoints via web application firewall (WAF) rules to block unauthorized requests. 2) Enforce strict Content Security Policy (CSP) headers to reduce the risk of malicious cross-site requests. 3) Educate administrators and site managers about the risk of clicking unsolicited links, especially those received via email or messaging platforms. 4) Implement multi-factor authentication (MFA) for WordPress admin accounts to add an additional layer of security. 5) Regularly back up site data and user meta information to enable quick recovery in case of lockout. 6) Monitor site logs for suspicious activity related to user meta changes or unusual administrative actions. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and exploitation method of this vulnerability.