Really Simple Security logo

Log out
Get PRO

Latest

Access violation vulnerability in MStore API 3.9.6

  • Severity: medium-risk
  • Status: Fixed
  • Publication: June 12, 2023

The MStore API plugin for WordPress can be manipulated by attackers with minimal permissions (even a subscriber) to change the plugin’s settings without authorization. This vulnerability was found in all versions up to 3.9.5, and is caused by the lack of capability checks on several functions called via AJAX actions. Examples of these functions include mstore_delete_json_file, mstore_update_limit_product, mstore_update_firebase_server_key, mstore_update_new_order_title, mstore_update_new_order_message, mstore_update_status_order_title, and mstore_update_status_order_message.

Detected in:

MStore API fixed vulnerable versions: >= * < 3.9.7
MStore API – Create Native Android & iOS Apps On The Cloud fixed vulnerable versions:

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.