Authentication flaw

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

mstore api

wordpress

authentication bypass

vulnerability

unrestricted access

administrator accounts

privilege escalation

9.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.7%

JSON

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the ‘register’ and ‘update_user_profile’ routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.

CPENameOperatorVersion
mstore_apile2.1.5

CPE	Name	Operator	Version
	mstore_api	le	2.1.5

References

blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/

www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/

www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve