CVE-2021-24148
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication in the MStore API WordPress plugin by exploiting a business logic flaw in the Sign In With Apple feature. Attackers can recover authentication cookies using only an email address, potentially gaining administrative access to affected WordPress sites. All WordPress sites running MStore API plugin versions before 3.2.0 are affected.
💻 Affected Systems
- MStore API WordPress Plugin
📦 What is this software?
Mstore Api by Inspireui
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.
Likely Case
Unauthorized access leading to data theft, content manipulation, or installation of malicious plugins/themes.
If Mitigated
Limited impact if proper network segmentation, strong authentication, and monitoring are in place to detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires only an email address and basic HTTP requests, making it trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.0
Vendor Advisory: https://wpscan.com/vulnerability/bf5ddc43-974d-41fa-8276-c1a27d3cc882
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.2.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Sign In With Apple
allTemporarily disable the vulnerable Sign In With Apple feature in plugin settings.
Disable Plugin
linuxDeactivate the MStore API plugin until patched.
wp plugin deactivate mstore-api
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to vulnerable API endpoints.
- Restrict access to WordPress admin interface using IP whitelisting or VPN.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for MStore API version. If version is below 3.2.0, the site is vulnerable.Check Version:
wp plugin get mstore-api --field=versionVerify Fix Applied:
Confirm MStore API plugin version is 3.2.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via Sign In With Apple endpoint
- Multiple failed login attempts followed by successful admin access from new IP
Network Indicators:
- HTTP requests to /wp-json/mstore/v1/apple-login endpoint with email parameter
- Unusual traffic patterns to WordPress admin areas
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/mstore/v1/apple-login" OR user_agent CONTAINS "MStore")