CVE-2020-36713 – The MStore API WordPress plugin has an authenti... (How to Fix)

Q: What is the severity of CVE-2020-36713?

CVE-2020-36713 has a CVSS score of 9.8 (CRITICAL). The MStore API WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to create administrator accounts, delete existing admin accounts, or escalate privileges on any account. This affects WordPress sites using MStore API plugin versions 2.1.5 and earlier. Attackers can gain full control of vulnerable WordPress installations.

📋 TL;DR

The MStore API WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to create administrator accounts, delete existing admin accounts, or escalate privileges on any account. This affects WordPress sites using MStore API plugin versions 2.1.5 and earlier. Attackers can gain full control of vulnerable WordPress installations.

💻 Affected Systems

Products:

WordPress MStore API plugin

Versions: Versions up to and including 2.1.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable MStore API plugin versions are affected regardless of configuration.

📦 What is this software?

Mstore Api by Inspireui

View all CVEs affecting Mstore Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with attacker creating admin accounts, deleting legitimate administrators, and deploying malware or ransomware across the entire WordPress installation.

🟠

Likely Case

Attackers create backdoor admin accounts to maintain persistent access, steal sensitive data, deface websites, or install cryptocurrency miners.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to isolated WordPress instance with no lateral movement to other systems.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability requires no authentication, making exploitation trivial from anywhere.

🏢 Internal Only: MEDIUM - Internal WordPress instances could be compromised if attackers gain internal network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to vulnerable endpoints with no special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.6 and later

Vendor Advisory: https://wordpress.org/plugins/mstore-api/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 2.1.6+ from WordPress repository.

🔧 Temporary Workarounds

Disable MStore API plugin

all

Temporarily deactivate the vulnerable plugin until patched version can be installed.

wp plugin deactivate mstore-api

Block vulnerable API endpoints

linux

Use web application firewall or .htaccess to block access to /wp-json/mstore/register and /wp-json/mstore/update_user_profile endpoints.

# Add to .htaccess:
RewriteEngine On
RewriteRule ^wp-json/mstore/(register|update_user_profile) - [F,L]

🧯 If You Can't Patch

Immediately disable MStore API plugin and remove it from the WordPress installation
Implement strict network access controls to limit access to WordPress admin interface and monitor for suspicious account creation

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → MStore API version. If version is 2.1.5 or lower, you are vulnerable.

Check Version:

wp plugin list --name=mstore-api --field=version

Verify Fix Applied:

Verify MStore API plugin version is 2.1.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-json/mstore/register or /wp-json/mstore/update_user_profile
Sudden creation of new administrator accounts
Multiple failed login attempts followed by successful admin login from new IP

Network Indicators:

HTTP POST requests to vulnerable endpoints from external IPs
Unusual traffic patterns to WordPress REST API endpoints

SIEM Query:

source="web_logs" AND (uri_path="/wp-json/mstore/register" OR uri_path="/wp-json/mstore/update_user_profile") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2020-36713

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: June 7, 2023

Last Updated: November 21, 2024

🔗 References

https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/ Exploit
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/ Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve Third Party Advisory
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/ Exploit
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/ Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36713, you might also want to check these: