CVE-2024-5335 Overview
CVE-2024-5335 is a critical PHP Object Injection vulnerability affecting the Ultimate Store Kit Elementor Addons plugin for WordPress. This popular WooCommerce builder plugin, developed by BdThemes, contains an insecure deserialization flaw in versions up to and including 1.6.4 that allows unauthenticated attackers to inject malicious PHP objects through the _ultimate_store_kit_compare_products cookie.
Critical Impact
Unauthenticated attackers can inject PHP objects that, when combined with a POP (Property Oriented Programming) chain from another installed plugin or theme, could lead to arbitrary file deletion, sensitive data retrieval, or remote code execution on affected WordPress installations.
Affected Products
- BdThemes Ultimate Store Kit versions up to and including 1.6.4
- WordPress installations using the affected plugin version
- WooCommerce stores utilizing Ultimate Store Kit for product comparisons
Discovery Timeline
- 2024-08-21 - CVE CVE-2024-5335 published to NVD
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2024-5335
Vulnerability Analysis
This PHP Object Injection vulnerability resides in the helper.php file of the Ultimate Store Kit plugin. The flaw stems from improper handling of user-controlled input through the _ultimate_store_kit_compare_products cookie, which is deserialized without adequate validation or sanitization. The vulnerability allows unauthenticated remote attackers to submit crafted serialized PHP data that gets processed by the application.
While the vulnerable plugin itself does not contain a Property Oriented Programming (POP) chain to directly exploit the object injection, the presence of other plugins or themes on the WordPress installation that contain gadget chains could enable full exploitation. This is a common attack pattern in WordPress environments where multiple plugins interact with deserialized data.
Root Cause
The root cause is classified under CWE-502 (Deserialization of Untrusted Data). The plugin fails to implement proper input validation on cookie data before passing it to PHP's deserialization functions. The _ultimate_store_kit_compare_products cookie is intended to store product comparison data but accepts arbitrary serialized PHP objects from unauthenticated users. This allows attackers to craft malicious serialized payloads that instantiate arbitrary PHP classes with attacker-controlled properties.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP request containing a specially formatted _ultimate_store_kit_compare_products cookie with a serialized PHP object payload. When the server processes this request, the vulnerable deserialization code in helper.php (line 1103) instantiates the injected object. If a suitable POP gadget chain exists in the WordPress environment, magic methods like __wakeup(), __destruct(), or __toString() can be triggered to execute arbitrary code, delete files, or access sensitive data.
The exploitation flow typically involves:
- Identifying a target WordPress site running the vulnerable plugin version
- Discovering available POP chains from other installed plugins or themes
- Crafting a serialized PHP object that leverages the discovered gadget chain
- Sending the malicious payload via the _ultimate_store_kit_compare_products cookie
- Achieving code execution or other impact based on the available chain
Detection Methods for CVE-2024-5335
Indicators of Compromise
- Unusual or malformed values in the _ultimate_store_kit_compare_products cookie containing serialized PHP object notation (e.g., O: prefixes)
- Web server access logs showing requests with abnormally large or suspicious cookie headers
- Unexpected file deletions or modifications on the WordPress installation
- Creation of unknown files in web-accessible directories
Detection Strategies
- Monitor web application firewall (WAF) logs for serialized PHP object patterns in cookie values, particularly looking for class instantiation markers
- Implement log analysis rules to detect requests containing suspicious serialized data patterns like O:[0-9]+:" in the Cookie header
- Deploy SentinelOne Singularity Platform to detect post-exploitation behaviors such as webshell deployment or unauthorized process execution
- Conduct regular WordPress plugin audits to identify installations running vulnerable versions
Monitoring Recommendations
- Enable detailed access logging on web servers to capture full request headers including cookies
- Configure intrusion detection systems to alert on PHP deserialization attack patterns
- Monitor file integrity on WordPress installations for unauthorized changes to core files, uploads, or plugin directories
- Implement runtime application self-protection (RASP) solutions to detect and block object injection attempts
How to Mitigate CVE-2024-5335
Immediate Actions Required
- Update the Ultimate Store Kit Elementor Addons plugin to version 1.6.5 or later immediately
- Audit WordPress installations for signs of compromise, particularly unexpected file changes or new administrative users
- Review installed plugins and themes for known POP gadget chains that could increase exploitation risk
- Consider temporarily disabling the product comparison feature if immediate patching is not possible
Patch Information
BdThemes has released a security patch addressing this vulnerability. The fix is documented in the WordPress Plugin Change History which shows modifications to the helper.php file to properly validate and sanitize cookie input before deserialization. Users should update to version 1.6.5 or later through the WordPress plugin update mechanism or by downloading directly from the WordPress Plugin Repository.
Workarounds
- Implement web application firewall (WAF) rules to block requests containing serialized PHP object patterns in cookie values
- Use a security plugin to filter and sanitize cookie inputs before they reach the vulnerable code path
- Restrict access to the WordPress admin area and implement additional authentication controls
- Consider using SentinelOne's Singularity XDR platform for real-time detection and response to exploitation attempts
# Example WAF rule to block PHP serialization in cookies (ModSecurity format)
SecRule REQUEST_COOKIES "@rx O:\d+:\"" "id:100001,phase:1,deny,status:403,msg:'PHP Object Injection attempt detected in cookie'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
