CVE-2025-24584: 
WordPress vulnerability analysis and mitigation

The CVE-2025-24584 is a Missing Authorization vulnerability discovered in BdThemes Ultimate Store Kit Elementor Addons plugin for WordPress. The vulnerability was disclosed on December 19, 2024, affecting all versions up to and including 2.3.0. This security issue allows authenticated users with Subscriber-level access and above to exploit incorrectly configured access control security levels (WPScan, NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The security issue stems from a missing capability check on a function that allows authenticated users to perform unauthorized actions (Patchstack).

The vulnerability enables authenticated attackers with Subscriber-level privileges or higher to perform unauthorized actions within the WordPress installation. This broken access control issue could potentially lead to unauthorized modifications of plugin settings or data (Patchstack).

The vulnerability has been patched in version 2.3.1 of the Ultimate Store Kit Elementor Addons plugin. Users are advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).