WordPress MStore API plugin <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference to Arbitrary User Meta Update vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin MStore API versions = 4.18.3...

EUVD-2026-20840

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

EUVD-2023-43881

Malicious code in bioql PyPI...

EUVD-2023-43880

Malicious code in bioql PyPI...

EUVD-2023-43875

Malicious code in bioql PyPI...

CVE-2023-3199

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatestatusordertitle function. This makes it possible for unauthenticated attackers to update status order title via a forged request granted they can trick a site...

CVE-2023-3201

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatenewordertitle function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrato...

CVE-2023-3197

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2023-3076

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features...

CVE-2023-3203

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatelimitproduct function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a...

CVE-2020-36713

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'updateuserprofile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delet...

CVE-2024-12042

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for...

WordPress MStore API plugin <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting) vulnerability

Authenticated Subscriber+ HTML File Upload Stored Cross-Site Scripting vulnerability discovered by shaman0x01 in WordPress Plugin MStore API versions = 4.16.4...

WordPress MStore API Plugin <= 4.0.6 is vulnerable to SQL Injection

Software MStore API Type Plugin Vulnerable versions = 4.0.6 Fixed in 4.0.7 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-45055 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID 62679b9fbc47 Credits Truoc Phan Required privilege Subscriber Published 3...

CVE-2023-3077

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, an...

CVE-2023-3076

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features...

CVE-2023-3197 MStore API <= 4.0.1 - Unauthenticated SQL Injection

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible...

Sql injection

Unauth. SQL Injection SQLi vulnerability in InspireUI MStore API plugin = 3.9.7 versions...

CVE-2023-3201

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatenewordertitle function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrato...

CVE-2023-3203

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatelimitproduct function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a...