cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12042,https://securityvulnerability.io/vulnerability/CVE-2024-12042,Stored Cross-Site Scripting Vulnerability in MStore API Plugin,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-13T08:24:50.600Z,0
CVE-2024-11179,https://securityvulnerability.io/vulnerability/CVE-2024-11179,Vulnerability in MStore API Plugin Allows SQL Injection,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,6.5,MEDIUM,0.0006600000197067857,false,,false,false,false,,false,false,2024-11-20T09:31:54.943Z,0
CVE-2024-8242,https://securityvulnerability.io/vulnerability/CVE-2024-8242,Arbitrary File Upload Vulnerability in MStore API Plugin,"The MStore API plugin for WordPress has a vulnerability that permits authenticated users, including those with subscriber-level access, to upload arbitrary files due to insufficient file type validation in the update_user_profile() function. This issue affects all versions up to and including 4.15.3. By exploiting this vulnerability, attackers can place potentially malicious files on the server, which may be used for remote code execution. Additionally, when combined with a registration endpoint open to unauthenticated users, this vulnerability can be leveraged to create more severe security risks.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,8.8,HIGH,0.0006699999794363976,false,,false,false,false,,false,false,2024-09-13T15:10:45.570Z,0
CVE-2024-8269,https://securityvulnerability.io/vulnerability/CVE-2024-8269,Unauthorized User Registration Vulnerability in MStore API Plugin,"The MStore API Plugin, used for creating native Android and iOS applications on the WordPress platform, is vulnerable to unauthorized user registration across all versions up to and including 4.15.3. This vulnerability arises from the lack of validation when registering users through the register() function. Attackers can exploit this flaw to create user accounts on WordPress sites, undermining the user registration settings intended to restrict such actions. The vulnerability poses significant risks, particularly for sites where user registration should be disabled. Site administrators are advised to assess their use of the MStore API Plugin and consider applying necessary patches or updates to safeguard their environments.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-09-13T15:10:38.839Z,0
CVE-2024-7628,https://securityvulnerability.io/vulnerability/CVE-2024-7628," Authentication Bypass Vulnerability in MStore API Plugin for WordPress","The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress has a vulnerability that allows for authentication bypass due to improper type comparison in the 'verify_id_token' function. This flaw allows unauthorized users to gain access to any existing account on the site, including administrative accounts, when they have access to an @flutter.io email address or phone number. Proper configuration of Firebase for the website is required for exploitation, along with user account setup on Firebase.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,8.1,HIGH,0.0006300000241026282,false,,false,false,false,,false,false,2024-08-15T02:30:37.281Z,0
CVE-2024-6328,https://securityvulnerability.io/vulnerability/CVE-2024-6328,Authentication Bypass Vulnerability in MStore API Plugin,"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress exhibits a serious vulnerability that allows unauthenticated attackers to bypass authentication controls. This flaw is attributed to poor verification processes related to the 'phone' parameter within the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. As a result, attackers can gain access as any user, including administrators, if they possess the requisite email address or phone number. Furthermore, when an unauthorized email address is provided, the system erroneously creates a new user account with default permissions, regardless of the status of registration settings.",Wordpress,Mstore Api – Create Native Android & iOS Apps On The Cloud,9.8,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-12T10:59:56.085Z,0