CVE-2025-3438

Published: May 2, 2025Modified: May 6, 2025

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 3.9 / Impact: 3.4

Source: NVD

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

Affected (1)

Products: Inspireui: Mstore Api

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Inspireui Mstore Api	Before 4.17.5

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (5)

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset/3277790

Source: security@wordfence.com

Patch

https://plugins.trac.wordpress.org/changeset/3279132/

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.