Lucene search
K

267 matches found

RedhatCVE
RedhatCVE
added 2025/05/23 3:21 a.m.11 views

CVE-2023-3131

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both...

4.3CVSS6.8AI score0.00507EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:30 a.m.3 views

CVE-2023-3202

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatefirebaseserverkey function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via ...

4.3CVSS5.8AI score0.00296EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:16 a.m.9 views

CVE-2023-3203

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatelimitproduct function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a...

4.3CVSS6.5AI score0.00316EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:12 a.m.11 views

CVE-2023-3077

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, an...

9.8CVSS7.5AI score0.05304EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:0 a.m.8 views

CVE-2023-3277

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's...

9.8CVSS7.2AI score0.02888EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:59 a.m.13 views

CVE-2023-3198

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatestatusordermessage function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site...

4.3CVSS6.5AI score0.00316EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:59 a.m.12 views

CVE-2023-3200

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatenewordermessage function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site...

4.3CVSS6.5AI score0.00316EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:53 a.m.8 views

CVE-2023-2734

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated...

9.8CVSS7.1AI score0.03805EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:52 a.m.14 views

CVE-2023-2732

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers ...

9.8CVSS7AI score0.67511EPSS
Exploits3References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:57 p.m.14 views

CVE-2021-24148

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address...

10CVSS6.8AI score0.03373EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/04 6:7 a.m.23 views

CVE-2025-3438

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to...

7.3CVSS6.9AI score0.00281EPSS
Exploits0References1
OSV
OSV
added 2025/05/02 6:15 a.m.4 views

CVE-2025-3438

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to...

7.3CVSS5.8AI score
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/05/02 5:22 a.m.9 views

CVE-2025-3438 MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to...

6.5CVSS6.4AI score0.00281EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/05/02 5:22 a.m.24 views

CVE-2025-3438 MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to...

6.5CVSS0.00281EPSS
Exploits0References5
CVE
CVE
added 2025/05/02 5:22 a.m.68 views

CVE-2025-3438

The CVE-2025-3438 entry concerns the WordPress MStore API plugin (≤ 4.17.4), which allows unauthenticated privilege escalation by registering as the wcfm_vendor Store Vendor role due to insufficient role restrictions during registration. Exploitation requires the WCFM Marketplace – Multivendor Ma...

7.3CVSS6.4AI score0.00281EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2025/05/02 12:0 a.m.7 views

PT-2025-18761 · WordPress · Mstore Api +1

Name of the Vulnerable Software and Affected Versions: MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.17.4 Description: The issue is related to limited privilege escalation due to a lack of restriction of role when registering,...

7.3CVSS7.6AI score0.00281EPSS
Exploits0References12
Patchstack
Patchstack
added 2025/05/01 10:8 p.m.7 views

WordPress MStore API plugin <= 4.17.4 - Unauthenticated Limited Privilege Escalation vulnerability

Unauthenticated Limited Privilege Escalation vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin MStore API versions = 4.17.4...

7.3CVSS8.9AI score0.00281EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/06 12:5 a.m.9 views

CVE-2022-47614

Unauth. SQL Injection SQLi vulnerability in InspireUI MStore API plugin = 3.9.7 versions...

7.5CVSS8AI score0.00571EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/02/05 3:7 p.m.9 views

CVE-2020-36713

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'updateuserprofile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delet...

9.8CVSS7.3AI score0.01605EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/05 12:4 p.m.8 views

CVE-2024-7628

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verifyidtoken' function. This makes it possible for unauthenticated attackers to...

8.1CVSS6.8AI score0.00658EPSS
Exploits0References1
Rows per page
Query Builder