CVE-2024-12042 – The MStore API WordPress plugin has a stored XS... (How to Fix)

Q: What is the severity of CVE-2024-12042?

CVE-2024-12042 has a CVSS score of 5.4 (MEDIUM). The MStore API WordPress plugin has a stored XSS vulnerability in profile picture upload functionality. Authenticated attackers with subscriber-level access can upload malicious HTML files that execute scripts when accessed. This affects all versions up to 4.16.4.

📋 TL;DR

The MStore API WordPress plugin has a stored XSS vulnerability in profile picture upload functionality. Authenticated attackers with subscriber-level access can upload malicious HTML files that execute scripts when accessed. This affects all versions up to 4.16.4.

💻 Affected Systems

Products:

MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin

Versions: All versions up to and including 4.16.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version and at least one user account with subscriber role or higher.

📦 What is this software?

Mstore Api by Inspireui

View all CVEs affecting Mstore Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors through script execution.

🟠

Likely Case

Attackers with subscriber accounts upload malicious HTML files that execute scripts when viewed, potentially stealing session cookies or performing actions as the viewing user.

🟢

If Mitigated

With proper file type validation and content security policies, the risk is limited to file storage abuse without script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but only subscriber-level permissions. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3205338/mstore-api/trunk/functions/index.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 4.16.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate mstore-api

Restrict file uploads

linux

Use .htaccess or web server configuration to block HTML file uploads

<FilesMatch "\.(html|htm)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove subscriber upload permissions via custom code or user role editor plugins
Implement web application firewall rules to block HTML file uploads to the affected endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → MStore API version. If version is 4.16.4 or lower, you are vulnerable.

Check Version:

wp plugin get mstore-api --field=version

Verify Fix Applied:

After updating, verify plugin version is 4.16.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML file uploads via MStore API endpoints
Multiple failed upload attempts with different file extensions

Network Indicators:

POST requests to /wp-content/plugins/mstore-api/upload endpoints with HTML file content

SIEM Query:

source="wordpress.log" AND "mstore-api" AND "upload" AND ("html" OR "htm")

📊 Metadata

CVE ID: CVE-2024-12042

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-434

Published: December 13, 2024

Last Updated: May 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12042, you might also want to check these: