Login Sign Up

CVE-2023-3277

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The MStore API WordPress plugin has an authentication bypass vulnerability in its Apple login feature. Unauthenticated attackers can log in as any user by knowing their email address, leading to unauthorized account access and privilege escalation. All WordPress sites using MStore API version 4.10.7 or earlier are affected.

💻 Affected Systems

Products:
  • MStore API WordPress Plugin
Versions: Up to and including 4.10.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites with the MStore API plugin installed and enabled.

📦 What is this software?

Mstore Api by Inspireui

View all CVEs affecting Mstore Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress sites, allowing complete site takeover, data theft, malware injection, and further network compromise.

🟠

Likely Case

Attackers compromise user accounts, steal sensitive data, modify content, and potentially escalate privileges to administrative roles.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the affected WordPress instance with no lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires only knowledge of target email addresses. No authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check plugin version in WordPress admin panel. 2. If version is 4.10.7 or earlier, follow workarounds. 3. Monitor plugin updates for official patch.

🔧 Temporary Workarounds

Disable MStore API Plugin

all

Completely disable the vulnerable plugin until a patch is available

wp plugin deactivate mstore-api

Restrict Access to WordPress Admin

linux

Limit access to WordPress admin interface to trusted IP addresses only

# Add to .htaccess for Apache:
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
# Add to nginx config:
location /wp-admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block suspicious authentication attempts
  • Enable detailed logging for all authentication events and monitor for unusual login patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > MStore API version. If version is 4.10.7 or earlier, system is vulnerable.

Check Version:

wp plugin get mstore-api --field=version

Verify Fix Applied:

Verify plugin is disabled or removed. Test authentication with known vulnerable endpoints.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts via Apple login endpoint
  • Multiple failed login attempts followed by successful login from same IP
  • User account logins from unexpected locations or IPs

Network Indicators:

  • HTTP POST requests to /wp-json/api/flutter_user/apple_login endpoint
  • Unusual authentication traffic patterns

SIEM Query:

source="wordpress.log" AND ("apple_login" OR "flutter_user") AND status=200

📊 Metadata

CVE ID: CVE-2023-3277
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON