cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12042,https://securityvulnerability.io/vulnerability/CVE-2024-12042,Stored Cross-Site Scripting Vulnerability in MStore API Plugin,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-13T08:24:50.600Z,0
CVE-2024-11179,https://securityvulnerability.io/vulnerability/CVE-2024-11179,Vulnerability in MStore API Plugin Allows SQL Injection,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,6.5,MEDIUM,0.0006600000197067857,false,,false,false,false,,false,false,2024-11-20T09:31:54.943Z,0
CVE-2024-8242,https://securityvulnerability.io/vulnerability/CVE-2024-8242,Arbitrary File Upload Vulnerability in MStore API Plugin,"The MStore API plugin for WordPress has a vulnerability that permits authenticated users, including those with subscriber-level access, to upload arbitrary files due to insufficient file type validation in the update_user_profile() function. This issue affects all versions up to and including 4.15.3. By exploiting this vulnerability, attackers can place potentially malicious files on the server, which may be used for remote code execution. Additionally, when combined with a registration endpoint open to unauthenticated users, this vulnerability can be leveraged to create more severe security risks.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,8.8,HIGH,0.0006699999794363976,false,,false,false,false,,false,false,2024-09-13T15:10:45.570Z,0
CVE-2024-8269,https://securityvulnerability.io/vulnerability/CVE-2024-8269,Unauthorized User Registration Vulnerability in MStore API Plugin,"The MStore API Plugin, used for creating native Android and iOS applications on the WordPress platform, is vulnerable to unauthorized user registration across all versions up to and including 4.15.3. This vulnerability arises from the lack of validation when registering users through the register() function. Attackers can exploit this flaw to create user accounts on WordPress sites, undermining the user registration settings intended to restrict such actions. The vulnerability poses significant risks, particularly for sites where user registration should be disabled. Site administrators are advised to assess their use of the MStore API Plugin and consider applying necessary patches or updates to safeguard their environments.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-09-13T15:10:38.839Z,0
CVE-2024-7628,https://securityvulnerability.io/vulnerability/CVE-2024-7628," Authentication Bypass Vulnerability in MStore API Plugin for WordPress","The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress has a vulnerability that allows for authentication bypass due to improper type comparison in the 'verify_id_token' function. This flaw allows unauthorized users to gain access to any existing account on the site, including administrative accounts, when they have access to an @flutter.io email address or phone number. Proper configuration of Firebase for the website is required for exploitation, along with user account setup on Firebase.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,8.1,HIGH,0.0006300000241026282,false,,false,false,false,,false,false,2024-08-15T02:30:37.281Z,0
CVE-2024-6328,https://securityvulnerability.io/vulnerability/CVE-2024-6328,Authentication Bypass Vulnerability in MStore API Plugin,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress exhibits a serious vulnerability that allows unauthenticated attackers to bypass authentication controls. This flaw is attributed to poor verification processes related to the 'phone' parameter within the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. As a result, attackers can gain access as any user, including administrators, if they possess the requisite email address or phone number. Furthermore, when an unauthorized email address is provided, the system erroneously creates a new user account with default permissions, regardless of the status of registration settings.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,9.8,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-12T10:59:56.085Z,0
CVE-2023-3277,https://securityvulnerability.io/vulnerability/CVE-2023-3277,Unauthorized Access and Privilege Escalation in MStore API Plugin for WordPress,"The MStore API plugin for WordPress exposes a critical vulnerability due to improper handling of the Apple login feature. This flaw enables attackers to gain unauthorized access to user accounts by simply knowing the email addresses of targeted users. The issue affects all versions up to and including 4.10.7. Despite awareness of this vulnerability and communications with the plugin developers, a patch has not yet been released, heightening the risk for users of the MStore API plugin.",Wordpress,MStore API,9.8,CRITICAL,0.0017000000225380063,false,,false,false,false,,false,false,2023-11-03T12:15:00.000Z,0
CVE-2023-3202,https://securityvulnerability.io/vulnerability/CVE-2023-3202,Cross-Site Request Forgery in MStore API Plugin for WordPress,"The MStore API plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the mstore_update_firebase_server_key function. This vulnerability enables unauthenticated attackers to manipulate the firebase server key for push notifications during order status changes. By tricking an administrator into executing a fraudulent action, such as clicking a crafted link, the attacker can exploit this weakness and gain unauthorized control over certain site functionalities, potentially leading to unauthorized notifications and misuse.",Wordpress,Mstore Api,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2023-07-12T05:15:00.000Z,0
CVE-2023-3199,https://securityvulnerability.io/vulnerability/CVE-2023-3199,Cross-Site Request Forgery Vulnerability in MStore API for WordPress,"The MStore API plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit the absence of nonce validation in the mstore_update_status_order_title function. This flaw enables attackers to issue forged requests to update order titles, provided they can deceive a site administrator into executing an action, such as clicking on a crafted link. This type of vulnerability poses significant risks, making it essential for website administrators to apply appropriate security measures.",Wordpress,Mstore Api,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2023-07-12T05:15:00.000Z,0
CVE-2023-3076,https://securityvulnerability.io/vulnerability/CVE-2023-3076,MStore API < 3.9.9 - Unauthenticated Privilege Escalation,"The MStore API WordPress plugin prior to version 3.9.9 exposes a flaw that allows unauthenticated users to create accounts with arbitrary roles through its wholesale REST API endpoint. This vulnerability necessitates that the site owner has purchased the pro features of the plugin, making it a targeted risk for users with extended access.",Wordpress,Mstore Api,9.8,CRITICAL,0.003060000017285347,false,,false,false,true,true,false,false,2023-07-10T16:15:00.000Z,0
CVE-2023-3077,https://securityvulnerability.io/vulnerability/CVE-2023-3077,MStore API < 3.9.8 - Unauthenticated Blind SQLi,"The MStore API plugin for WordPress, prior to version 3.9.8, is susceptible to a Blind SQL Injection due to inadequate sanitization and escaping of a particular parameter within its SQL queries. This vulnerability can be exploited by unauthenticated users, particularly if the site owner opts to enable the pro features of the plugin and utilizes the WooCommerce Appointments plugin. Attackers can execute database queries, potentially resulting in unauthorized data access or manipulation.",Wordpress,Mstore Api,9.8,CRITICAL,0.08241000026464462,false,,false,false,false,,false,false,2023-07-10T16:15:00.000Z,0
CVE-2023-3209,https://securityvulnerability.io/vulnerability/CVE-2023-3209,MStore API < 3.9.7 - Settings Update via CSRF,"The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.",Wordpress,Mstore Api,3.5,LOW,0.0005699999746866524,false,,false,false,false,,false,false,2023-07-10T16:15:00.000Z,0
CVE-2023-3131,https://securityvulnerability.io/vulnerability/CVE-2023-3131,MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update,"The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.",Wordpress,Mstore Api,4.3,MEDIUM,0.0005699999746866524,false,,false,false,false,,false,false,2023-07-10T16:15:00.000Z,0
CVE-2023-3197,https://securityvulnerability.io/vulnerability/CVE-2023-3197,Unauthenticated Blind SQL Injection in MStore API Plugin for WordPress,"The MStore API plugin for WordPress contains a vulnerability that allows unauthenticated attackers to perform Blind SQL Injection through the 'id' parameter. This occurs due to inadequate escaping of user-supplied input and a lack of proper preparation in the existing SQL query. As a result, an attacker can inject additional SQL queries, potentially leading to unauthorized access and exposure of sensitive data stored in the database. It is crucial for users of MStore API versions up to 4.0.1 to take immediate steps to mitigate this vulnerability.",Wordpress,Mstore Api,9.8,CRITICAL,0.0004400000034365803,false,,false,false,false,,false,false,2023-06-24T03:15:00.000Z,0
CVE-2023-3201,https://securityvulnerability.io/vulnerability/CVE-2023-3201,Cross-Site Request Forgery in MStore API Plugin for WordPress,"The MStore API Plugin for WordPress exhibits a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the mstore_update_new_order_title function. This flaw permits unauthorized attackers to manipulate new order titles by crafting a falsified request. The attack typically requires tricking a site administrator into clicking a malicious link, enabling potential abuse of the plugin's functionality.",Wordpress,Mstore Api,4.3,MEDIUM,0.0011399999493733048,false,,false,false,false,,false,false,2023-06-14T02:15:00.000Z,0
CVE-2023-3198,https://securityvulnerability.io/vulnerability/CVE-2023-3198,Cross-Site Request Forgery Vulnerability in MStore API Plugin for WordPress,"The MStore API plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the mstore_update_status_order_message function. This flaw enables unauthenticated attackers to manipulate order status messages by sending forged requests if they can deceive a site administrator into engaging in a harmful action, such as clicking on a malicious link. It's crucial to implement nonce checks to mitigate this vulnerability and protect site integrity.",Wordpress,Mstore Api,4.3,MEDIUM,0.0011399999493733048,false,,false,false,false,,false,false,2023-06-14T02:15:00.000Z,0
CVE-2023-3203,https://securityvulnerability.io/vulnerability/CVE-2023-3203,Cross-Site Request Forgery Vulnerability in MStore API Plugin for WordPress,"The MStore API plugin for WordPress contains a vulnerability that exposes it to Cross-Site Request Forgery attacks due to the absence of nonce validation in the mstore_update_limit_product function. This flaw allows unauthenticated attackers to manipulate product limit configurations within categories through crafted requests. An attacker could exploit this by tricking a site administrator into executing an action, such as clicking on a malicious link, potentially impacting the site's functionality and user experience.",Wordpress,Mstore Api,4.3,MEDIUM,0.0010499999625608325,false,,false,false,false,,false,false,2023-06-14T02:15:00.000Z,0
CVE-2023-3200,https://securityvulnerability.io/vulnerability/CVE-2023-3200,Cross-Site Request Forgery in MStore API Plugin for WordPress,"The MStore API plugin for WordPress exhibits a vulnerability to Cross-Site Request Forgery due to inadequate nonce validation in the mstore_update_new_order_message function. This flaw could allow attackers to send forged requests, enabling them to manipulate new order messages if they successfully deceive a site administrator into clicking a malicious link. Proper nonce checks are critical to prevent such unauthorized actions and secure user interactions.",Wordpress,Mstore Api,4.3,MEDIUM,0.0011399999493733048,false,,false,false,false,,false,false,2023-06-14T02:15:00.000Z,0
CVE-2020-36713,https://securityvulnerability.io/vulnerability/CVE-2020-36713,Authentication Bypass in MStore API Plugin for WordPress,"The MStore API plugin for WordPress, in versions through 2.1.5, contains a vulnerability that allows unauthenticated attackers to bypass authentication controls. This flaw arises from unrestricted access to the 'register' and 'update_user_profile' endpoints, enabling malicious users to create or delete administrator accounts and escalate privileges on existing accounts. Such security issues pose a significant risk to the integrity of WordPress websites using this plugin, making timely updates crucial.",Wordpress,Mstore Api,9.8,CRITICAL,0.006500000134110451,false,,false,false,false,,false,false,2023-06-07T01:51:32.059Z,0
CVE-2023-2734,https://securityvulnerability.io/vulnerability/CVE-2023-2734,Authentication Bypass in MStore API Plugin for WordPress,"The MStore API plugin for WordPress is susceptible to an authentication bypass vulnerability due to inadequate user verification during cart sync operations via mobile REST API requests. This flaw allows unauthenticated attackers to potentially gain access to the system as existing users, including administrators, by exploiting their user IDs. Users should evaluate their installations and apply necessary security measures to mitigate this risk.",Wordpress,MStore API,9.8,CRITICAL,0.0024399999529123306,false,,false,false,false,,false,false,2023-05-25T03:15:00.000Z,0
CVE-2023-2733,https://securityvulnerability.io/vulnerability/CVE-2023-2733,Authentication Bypass in MStore API Plugin for WordPress,"The MStore API plugin for WordPress is affected by an authentication bypass vulnerability that allows unauthenticated attackers to gain access to user accounts, including administrator accounts. This flaw stems from a lack of adequate user verification during the coupon redemption REST API requests. Attackers can exploit this vulnerability to log in as any existing user by merely knowing the user ID, putting sensitive information at risk and threatening the overall security of the affected WordPress sites.",Wordpress,MStore API,9.8,CRITICAL,0.0024399999529123306,false,,false,false,false,,false,false,2023-05-25T03:15:00.000Z,0
CVE-2023-2732,https://securityvulnerability.io/vulnerability/CVE-2023-2732,Authentication Bypass Vulnerability in MStore API Plugin for WordPress,"The MStore API plugin for WordPress is susceptible to an authentication bypass vulnerability within its add listing REST API request. This vulnerability arises from inadequate validation of the user information that is supplied, enabling unauthenticated attackers to gain access as any existing user, including administrators, provided they possess the user ID. This poses a significant risk to user accounts and site integrity.",Wordpress,MStore API,9.8,CRITICAL,0.19562000036239624,false,,false,false,true,true,false,false,2023-05-25T03:15:00.000Z,0
CVE-2021-24148,https://securityvulnerability.io/vulnerability/CVE-2021-24148,MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple,"A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.",Wordpress,Mstore Api,9.8,CRITICAL,0.0038799999747425318,false,,false,false,false,,false,false,2021-03-18T14:57:50.000Z,0