CVE-2024-6328
📋 TL;DR
The MStore API WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user by exploiting insufficient verification of the 'phone' parameter. This affects all versions up to 4.14.7, potentially enabling administrative account takeover or unauthorized user creation even when registration is disabled.
💻 Affected Systems
- MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin
📦 What is this software?
Mstore Api by Inspireui
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, leading to complete site compromise, data theft, malware injection, or site defacement.
Likely Case
Attackers create unauthorized accounts or hijack existing user accounts to access sensitive data or perform malicious actions.
If Mitigated
With proper network controls and monitoring, exploitation attempts are detected and blocked before successful compromise.
🎯 Exploit Status
Exploitation requires only knowledge of target email/phone and access to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.14.8
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3115231/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 4.14.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable endpoints
allTemporarily disable the firebase_sms_login and firebase_sms_login_v2 functions via plugin settings or code modification.
Web Application Firewall rule
allBlock requests to /wp-json/api/flutter_user/firebase_sms_login and /wp-json/api/flutter_user/firebase_sms_login_v2 endpoints.
🧯 If You Can't Patch
- Disable the MStore API plugin entirely until patched
- Implement strict network access controls to limit access to WordPress admin and API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MStore API version. If version ≤4.14.7, system is vulnerable.Check Version:
wp plugin list --name=mstore-api --field=versionVerify Fix Applied:
Confirm plugin version is 4.14.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via /wp-json/api/flutter_user/firebase_sms_login endpoints
- Multiple failed login attempts followed by successful login from same IP
- User creation events when registration is disabled
Network Indicators:
- POST requests to /wp-json/api/flutter_user/firebase_sms_login* with manipulated phone parameters
- Unusual traffic patterns to authentication endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/api/flutter_user/firebase_sms_login" OR uri_path="/wp-json/api/flutter_user/firebase_sms_login_v2")🔗 References
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L699
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L714
- https://plugins.trac.wordpress.org/changeset/3115231/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547?source=cve
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L699
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L714
- https://plugins.trac.wordpress.org/changeset/3115231/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547?source=cve
