Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-2733

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Published

2023-05-25T03:15:08.797

Last Modified

2024-11-21T07:59:11.407

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	inspireui	mstore_api	≤ 3.9.0	Yes

References

https://plugins.trac.wordpress.org/browser/mstore-api/tags/3.9.0/controllers/flutter-woo.php#L734 Patch ([email protected])
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2913397%40mstore-api&old=2910707%40mstore-api&sfp_email=&sfph_mail=#file60 Patch ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/c726d8f0-7f2a-414b-9d73-a053921074d9?source=cve Third Party Advisory ([email protected])
https://plugins.trac.wordpress.org/browser/mstore-api/tags/3.9.0/controllers/flutter-woo.php#L734 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2913397%40mstore-api&old=2910707%40mstore-api&sfp_email=&sfph_mail=#file60 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/threat-intel/vulnerabilities/id/c726d8f0-7f2a-414b-9d73-a053921074d9?source=cve Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)