Skip to main content

Mstore Api

28 CVEs product

Monthly

CVE-2026-57375 MEDIUM This Month

Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.

Authentication Bypass Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54817 MEDIUM This Month

Authentication bypass in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to exploit the password recovery flow as an alternate authentication channel, circumventing normal credential verification. Confirmed by Patchstack under CWE-288, the flaw enables unauthorized manipulation of user account state with low integrity and availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivially exploitable conditions from the network without any authentication.

Authentication Bypass Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-4683 MEDIUM PATCH Monitor

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Apple Google WordPress Authentication Bypass Mstore Api +3
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-3438 MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Apple Google WordPress Privilege Escalation Mstore Api +3
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-12042 MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Google WordPress Apple XSS File Upload +1
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-11179 MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Google Apple Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-8269 MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apple WordPress Google Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-8242 HIGH PATCH This Week

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Google WordPress PHP RCE Apple +2
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-7628 HIGH PATCH This Week

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Apple WordPress Google Mstore Api
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-6328 CRITICAL PATCH Act Now

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apple Google WordPress Authentication Bypass Mstore Api
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-50878 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in InspireUI MStore API.10.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mstore Api
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-3277 CRITICAL POC THREAT Emergency

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.2%.

Apple WordPress Privilege Escalation Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
38.2%
Threat
4.6
CVE-2023-3202 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-3199 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_title function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-3209 LOW POC Monitor

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Mstore Api
NVD WPScan
CVSS 3.1
3.5
EPSS
0.3%
CVE-2023-3131 MEDIUM POC This Month

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Mstore Api
NVD WPScan
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-3077 CRITICAL POC Act Now

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mstore Api
NVD WPScan
CVSS 3.1
9.8
EPSS
5.5%
CVE-2023-3076 CRITICAL POC Act Now

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Mstore Api
NVD WPScan
CVSS 3.1
9.8
EPSS
2.2%
CVE-2023-3197 CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 36.8%.

SQLi WordPress Mstore Api
NVD
CVSS 3.1
9.8
EPSS
36.8%
Threat
4.6
CVE-2023-3203 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-3201 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-3200 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-3198 MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2020-36713 CRITICAL POC Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-2734 CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.3%.

Authentication Bypass WordPress Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
60.3%
Threat
5.3
CVE-2023-2733 CRITICAL PATCH Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2023-2732 CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.0%.

WordPress Authentication Bypass Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
90.0%
Threat
6.2
CVE-2021-24148 CRITICAL Act Now

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Apple Authentication Bypass Mstore Api
NVD WPScan
CVSS 3.1
9.8
EPSS
3.4%
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.

Authentication Bypass Mstore Api
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to exploit the password recovery flow as an alternate authentication channel, circumventing normal credential verification. Confirmed by Patchstack under CWE-288, the flaw enables unauthorized manipulation of user account state with low integrity and availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivially exploitable conditions from the network without any authentication.

Authentication Bypass Mstore Api
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Apple Google WordPress +5
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Apple Google WordPress +5
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Google WordPress Apple +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Google +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apple WordPress +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Google WordPress PHP +4
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Apple WordPress +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The MStore API - Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apple Google WordPress +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in InspireUI MStore API.10.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mstore Api
NVD
EPSS 38% 4.6 CVSS 9.8
CRITICAL POC THREAT Emergency

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 38.2%.

Apple WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_title function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 0% CVSS 3.5
LOW POC Monitor

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Mstore Api
NVD WPScan
EPSS 1% CVSS 4.3
MEDIUM POC This Month

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Mstore Api
NVD WPScan
EPSS 6% CVSS 9.8
CRITICAL POC Act Now

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mstore Api
NVD WPScan
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Mstore Api
NVD WPScan
EPSS 37% 4.6 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 36.8%.

SQLi WordPress Mstore Api
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Mstore Api
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mstore Api
NVD VulDB
EPSS 60% 5.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.3%.

Authentication Bypass WordPress Mstore Api
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Mstore Api
NVD VulDB
EPSS 90% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.0%.

WordPress Authentication Bypass Mstore Api
NVD VulDB
EPSS 3% CVSS 9.8
CRITICAL Act Now

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Apple Authentication Bypass +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy