CVE-2024-5335 Overview
CVE-2024-5335 is a PHP Object Injection vulnerability in the Ultimate Store Kit Elementor Addons plugin for WordPress, developed by bdthemes. The flaw exists in versions up to and including 1.6.4. The plugin deserializes untrusted input from the _ultimate_store_kit_compare_products cookie without validation. Unauthenticated attackers can inject arbitrary PHP objects into the application. The plugin itself contains no Property Oriented Programming (POP) chain. However, if a POP chain exists in another installed plugin or theme, attackers can chain the injection to delete arbitrary files, exfiltrate sensitive data, or execute code. The vulnerability is tracked under [CWE-502: Deserialization of Untrusted Data].
Critical Impact
Unauthenticated attackers can inject PHP objects via a cookie, enabling arbitrary file deletion, data theft, or remote code execution when a POP chain is present in a co-installed plugin or theme.
Affected Products
- Bdthemes Ultimate Store Kit Elementor Addons (WordPress plugin)
- All versions up to and including 1.6.4
- Free distribution on the WordPress plugin repository
Discovery Timeline
- 2024-08-21 - CVE-2024-5335 published to NVD
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2024-5335
Vulnerability Analysis
The Ultimate Store Kit plugin implements a product comparison feature that persists state in a client-side cookie named _ultimate_store_kit_compare_products. The helper function responsible for reading this cookie calls PHP's unserialize() directly on the cookie value. Because cookies are attacker-controlled, any serialized PHP object the attacker constructs is reconstructed inside the WordPress process.
Object Injection becomes exploitable when reconstructed objects trigger magic methods such as __wakeup(), __destruct(), or __toString() during their lifecycle. The Ultimate Store Kit plugin does not ship classes that form a usable POP chain. WordPress installations typically host dozens of additional plugins and themes, increasing the likelihood that a viable gadget chain is already present on the host.
When chained, exploitation can result in arbitrary file deletion, sensitive data disclosure, or PHP code execution under the web server account.
Root Cause
The root cause is the use of unserialize() on attacker-controlled input without integrity validation or type restriction. The patched code in changeset 3135472 replaces unsafe deserialization with safe handling in includes/helper.php.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends an HTTP request to any endpoint that triggers the vulnerable helper, supplying a crafted _ultimate_store_kit_compare_products cookie containing a serialized PHP object payload. The plugin deserializes the payload, instantiating attacker-defined objects. Exploitation impact depends on the gadget chains available within other installed components.
Refer to the WordPress Plugin Helper Code and Wordfence Vulnerability Analysis for technical details.
Detection Methods for CVE-2024-5335
Indicators of Compromise
- HTTP requests containing a _ultimate_store_kit_compare_products cookie with values beginning with PHP serialization markers such as O:, a:, or s:.
- Unexpected file deletions, new PHP files in upload directories, or modifications to wp-config.php and theme files.
- Outbound network connections from the PHP-FPM or web server process to unfamiliar hosts following request bursts targeting plugin endpoints.
- Web server error logs referencing unserialize(), __wakeup, or __destruct deserialization failures.
Detection Strategies
- Inspect web access logs and WAF telemetry for cookie values matching PHP serialized object patterns, particularly the regex O:\d+:"[A-Za-z_\\]+":\d+:.
- Hunt for child processes spawned by the web server such as sh, bash, python, or curl, which indicate post-exploitation command execution.
- Monitor WordPress file integrity for changes to plugin, theme, and core PHP files outside of scheduled update windows.
Monitoring Recommendations
- Enable verbose request logging for endpoints served by the Ultimate Store Kit plugin and forward to centralized logging.
- Alert on any HTTP request where the _ultimate_store_kit_compare_products cookie length exceeds typical encoded values or contains serialization sigils.
- Track outbound DNS and HTTP egress from the web tier to detect data exfiltration triggered by gadget chains.
How to Mitigate CVE-2024-5335
Immediate Actions Required
- Update Ultimate Store Kit to a version newer than 1.6.4 immediately by applying the vendor patch from changeset 3135472.
- Audit all installed WordPress plugins and themes to inventory components that may provide an exploitable POP chain.
- Rotate WordPress secrets in wp-config.php, database credentials, and any API keys stored on the host if exploitation is suspected.
Patch Information
The vendor fix is published in WordPress Changeset #3135472, which removes the unsafe unserialize() call from includes/helper.php. Administrators should upgrade through the WordPress plugin updater or by deploying the patched release manually.
Workarounds
- Deactivate and remove the Ultimate Store Kit plugin until patching is complete if updates cannot be applied promptly.
- Deploy a Web Application Firewall (WAF) rule that strips or blocks requests containing serialized PHP objects in the _ultimate_store_kit_compare_products cookie.
- Restrict file system permissions for the web server account to limit the impact of arbitrary file operations triggered through gadget chains.
# Example ModSecurity rule to block serialized PHP objects in the vulnerable cookie
SecRule REQUEST_COOKIES:_ultimate_store_kit_compare_products "@rx ^(O|a|s):\d+:" \
"id:1005335,phase:1,deny,status:403,log,\
msg:'CVE-2024-5335 PHP Object Injection attempt in Ultimate Store Kit cookie'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
