Skip to main content

MStore API CVE-2026-54817

MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-17 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Auth bypass via password recovery grants unauthorized account access, warranting C:L; no clear availability impact from this attack class justifies A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:52 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation.

This issue affects MStore API: from n/a through 4.18.4.

AnalysisAI

Authentication bypass in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to exploit the password recovery flow as an alternate authentication channel, circumventing normal credential verification. Confirmed by Patchstack under CWE-288, the flaw enables unauthorized manipulation of user account state with low integrity and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site running MStore API
Delivery
Enumerate valid user account or email
Exploit
Send unauthenticated request to password recovery API endpoint
Execution
Exploit alternate authentication channel (CWE-288)
Persist
Trigger unauthorized account state change
Impact
Gain unauthorized account access or disrupt user authentication

Vulnerability AssessmentAI

Exploitation The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication is required and no user interaction is needed, making exploitation possible against any internet-accessible WordPress site with MStore API 4.18.4 or earlier installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is backed by a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating network-reachable, low-complexity, zero-authentication exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates a valid WordPress username or email address on a site running MStore API through 4.18.4, then sends a crafted request directly to the plugin's password recovery API endpoint, bypassing the expected authentication or token-validation step. By exploiting the alternate channel exposed by the recovery flow, the attacker can trigger an unauthorized account state change - such as resetting another user's password or obtaining a recovery token - without possessing valid credentials. …
Remediation Update MStore API to a version beyond 4.18.4 via the WordPress plugin dashboard or by downloading the patched release from the WordPress.org plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-2732 CRITICAL POC
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rate

CVE-2023-2734 CRITICAL POC
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rate

CVE-2023-3277 CRITICAL POC
9.8 Nov 03

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up

CVE-2023-3197 CRITICAL POC
9.8 Jun 24

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versi

CVE-2020-36713 CRITICAL POC
9.8 Jun 07

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rate

CVE-2023-3077 CRITICAL POC
9.8 Jul 10

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement

CVE-2023-3076 CRITICAL POC
9.8 Jul 10

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of thei

CVE-2024-6328 CRITICAL
9.8 Jul 12

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypa

CVE-2023-2733 CRITICAL
9.8 May 25

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rate

CVE-2021-24148 CRITICAL
9.8 Mar 18

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign

CVE-2024-8242 HIGH
8.8 Sep 13

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uplo

CVE-2023-3131 MEDIUM POC
4.3 Jul 10

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks,

Share

CVE-2026-54817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy