Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible REST API with no authentication required (PR:N, AV:N, AC:L); limited read/write impact consistent with broken access control, no availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4.
AnalysisAI
Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network access to a WordPress installation with the MStore API plugin installed and active in a version at or below 4.18.4. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score with vector AV:N/AC:L/PR:N/UI:N reflects a low-friction, network-accessible, unauthenticated attack path - the most favorable attacker posture short of a critical score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates a WordPress installation running MStore API (trivially detectable via /wp-json/ endpoint discovery) and issues HTTP requests directly to a protected REST API route - such as an order status, user profile, or product management endpoint - without supplying credentials. Because the authorization check is absent, the server processes the request and returns or modifies data as if the caller held the required role, exposing WooCommerce order data or allowing limited record manipulation. … |
| Remediation | Update the MStore API WordPress plugin to a version released after 4.18.4; the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mstore-api/vulnerability/wordpress-mstore-api-plugin-4-18-4-broken-access-control-vulnerability should be consulted for the exact fixed version once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mstore Api
View allThe MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rate
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rate
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up
The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versi
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rate
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of thei
The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypa
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rate
A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign
The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uplo
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks,
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43449