CVE-2025-3438
📋 TL;DR
The MStore API WordPress plugin allows unauthenticated attackers to register accounts with 'wcfm_vendor' privileges when the WCFM Marketplace plugin is active. This enables limited privilege escalation to vendor-level access without authentication. WordPress sites using MStore API up to version 4.17.4 with WCFM Marketplace installed are affected.
💻 Affected Systems
- MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin
- WCFM Marketplace – Multivendor Marketplace for WooCommerce WordPress plugin
📦 What is this software?
Mstore Api by Inspireui
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain vendor-level access to create/manage products, process orders, and potentially access sensitive customer data in the WooCommerce marketplace.
Likely Case
Unauthenticated attackers create vendor accounts to list fraudulent products, manipulate marketplace content, or conduct spam/scam operations.
If Mitigated
Attackers can only create vendor accounts but cannot access admin functions or core WordPress settings.
🎯 Exploit Status
Exploitation requires sending crafted registration requests to the vulnerable API endpoint. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3279132/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MStore API' plugin. 4. Click 'Update Now' if update available. 5. Verify version is 4.17.5 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable MStore API plugin until patched
wp plugin deactivate mstore-api
Restrict registration endpoint
linuxBlock access to the vulnerable API registration endpoint via web server or WAF
# Apache: RewriteRule ^/wp-json/flutter-user/register - [F,L]
# Nginx: location ~* /wp-json/flutter-user/register { deny all; }
🧯 If You Can't Patch
- Disable user registration functionality in WordPress settings
- Implement Web Application Firewall (WAF) rules to block suspicious registration attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → MStore API version. If version ≤ 4.17.4 and WCFM Marketplace is active, system is vulnerable.Check Version:
wp plugin get mstore-api --field=versionVerify Fix Applied:
After updating, test registration endpoint with vendor role attempt. Should receive error or default subscriber role.📡 Detection & Monitoring
Log Indicators:
- Multiple user registrations with 'wcfm_vendor' role
- Unusual registration attempts from single IPs
- POST requests to /wp-json/flutter-user/register endpoint
Network Indicators:
- HTTP POST to registration endpoint with role parameter
- Unusual traffic patterns to user registration API
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/flutter-user/register" OR message="*wcfm_vendor*role*")🔗 References
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413
- https://plugins.trac.wordpress.org/changeset/3277790
- https://plugins.trac.wordpress.org/changeset/3279132/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve
