Login Sign Up

CVE-2023-2734

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The MStore API WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, by exploiting insufficient verification in mobile REST API cart sync requests. This affects WordPress sites using MStore API plugin versions up to 3.9.1. Attackers only need access to a target user's ID to exploit this vulnerability.

💻 Affected Systems

Products:
  • MStore API WordPress Plugin
Versions: Up to and including 3.9.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable MStore API plugin versions enabled.

📦 What is this software?

Mstore Api by Inspireui

View all CVEs affecting Mstore Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise with administrative access, data theft, malware injection, and defacement.

🟠

Likely Case

Unauthorized access to user accounts, privilege escalation, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Lower risk if not internet-facing, but still vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires knowledge of user IDs but is otherwise straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2915729%40mstore-api&old=2913397%40mstore-api&sfp_email=&sfph_mail=#file59

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.9.2+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable MStore API Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate mstore-api

Restrict API Access

linux

Block access to MStore API endpoints via web application firewall or .htaccess.

# Add to .htaccess: RewriteRule ^wp-content/plugins/mstore-api/.* - [F,L]

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the WordPress site
  • Enable detailed logging and monitoring for authentication events and API access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > MStore API version. If version is 3.9.1 or lower, you are vulnerable.

Check Version:

wp plugin get mstore-api --field=version

Verify Fix Applied:

Verify MStore API plugin version is 3.9.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication events from unexpected IPs
  • Multiple failed login attempts followed by successful login
  • API requests to /wp-json/mstore-api/* endpoints with user ID parameters

Network Indicators:

  • POST requests to MStore API endpoints without proper authentication headers
  • Unusual traffic patterns to WordPress REST API

SIEM Query:

source="wordpress" AND (uri_path="/wp-json/mstore-api/*" OR plugin="mstore-api") AND (event_type="authentication" OR http_method="POST")

📊 Metadata

CVE ID: CVE-2023-2734
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON