Lucene search
PRIOn knowledge basePRION:CVE-2023-3202HistoryJul 12, 2023 - 5:15 a.m.
Cross site request forgery (csrf)
2023-07-1205:15:00
PRIOn knowledge base
www.prio-n.com
wordpress
plugin
vulnerability
csrf
mstore api
missing nonce validation
firebase server key
push notification
order status
unauthenticated attackers
forged request
site administrator
action
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
| CPE | Name | Operator | Version |
|---|---|---|---|
| mstore_api | le | 3.9.6 |
References
plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=
www.wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9?source=cve
Related
cvelist
cvelist
CVE-2023-3202
2023-07-12 04:38:50
cve
cve
CVE-2023-3202
2023-07-12 05:15:10
nvd
nvd
CVE-2023-3202
2023-07-12 05:15:10
wpvulndb
wpvulndb
MStore API < 3.9.7 - Multiple CSRF
2023-06-13 00:00:00
wordfence
wordfence