CVE-2025-39588: WordPress Ultimate Store Kit Elementor Addons <= 2.4.0 - Deserialization of untrusted data Vulnerability

9.8 CVSS

Description

Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0.

Classification

CVE ID: CVE-2025-39588

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-502 Deserialization of Untrusted Data

Affected Products

Vendor: bdthemes

Product: Ultimate Store Kit Elementor Addons

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.79% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-39588
https://patchstack.com/database/wordpress/plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-2-4-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve

Timeline

2025-04-17 16:40:25 UTC
CVE

WordPress Ultimate Store Kit Elementor Addons <= 2.4.0 - Deserialization of untrusted data Vulnerability