CVE-2025-3438

May 2, 2025, 1:52 p.m.

6.5
Medium

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

Product(s) Impacted

Vendor Product Versions
Mstore
  • Mstore Api
  • <4.17.5
Wcfm
  • Wcfm Marketplace
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a mstore mstore_api <4.17.5 / / / / / / /
a wcfm wcfm_marketplace / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413
https://plugins.trac.wordpress.org/changeset/3277790
https://plugins.trac.wordpress.org/changeset/3279132/
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve

Tags

security@wordfence.com
CWE-269
2025-05-02
CVE-2025-3438

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: May 2, 2025, 6:15 a.m.
Last Modified: May 2, 2025, 1:52 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.