Skip to main content

Mstore Api CVE-2023-3198

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-06-14 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 19:38 nvd
Patch available
CVE Published
Jun 14, 2023 - 02:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Affected products include: Inspireui Mstore Api.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2023-2732 CRITICAL POC
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rate

CVE-2023-2734 CRITICAL POC
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rate

CVE-2023-3277 CRITICAL POC
9.8 Nov 03

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up

CVE-2023-3197 CRITICAL POC
9.8 Jun 24

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versi

CVE-2020-36713 CRITICAL POC
9.8 Jun 07

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rate

CVE-2023-3077 CRITICAL POC
9.8 Jul 10

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement

CVE-2023-3076 CRITICAL POC
9.8 Jul 10

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of thei

CVE-2024-6328 CRITICAL
9.8 Jul 12

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypa

CVE-2023-2733 CRITICAL
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rate

CVE-2021-24148 CRITICAL
9.8 Mar 18

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign

CVE-2024-8242 HIGH
8.8 Sep 13

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uplo

CVE-2023-3131 MEDIUM POC
4.3 Jul 10

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks,

Share

CVE-2023-3198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy