MStore API
CVE-2026-54817
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Auth bypass via password recovery grants unauthorized account access, warranting C:L; no clear availability impact from this attack class justifies A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation.
This issue affects MStore API: from n/a through 4.18.4.
AnalysisAI
Authentication bypass in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to exploit the password recovery flow as an alternate authentication channel, circumventing normal credential verification. Confirmed by Patchstack under CWE-288, the flaw enables unauthorized manipulation of user account state with low integrity and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication is required and no user interaction is needed, making exploitation possible against any internet-accessible WordPress site with MStore API 4.18.4 or earlier installed and active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is backed by a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating network-reachable, low-complexity, zero-authentication exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates a valid WordPress username or email address on a site running MStore API through 4.18.4, then sends a crafted request directly to the plugin's password recovery API endpoint, bypassing the expected authentication or token-validation step. By exploiting the alternate channel exposed by the recovery flow, the attacker can trigger an unauthorized account state change - such as resetting another user's password or obtaining a recovery token - without possessing valid credentials. … |
| Remediation | Update MStore API to a version beyond 4.18.4 via the WordPress plugin dashboard or by downloading the patched release from the WordPress.org plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mstore Api
View allThe MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rate
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rate
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up
The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versi
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rate
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of thei
The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypa
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rate
A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign
The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uplo
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today