CVE-2025-4683
📋 TL;DR
The MStore API WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to create new posts without proper authorization. This affects all WordPress sites using MStore API plugin versions up to 4.17.5. Attackers can exploit this to publish unauthorized content on affected websites.
💻 Affected Systems
- MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin
📦 What is this software?
Mstore Api by Inspireui
⚠️ Risk & Real-World Impact
Worst Case
Attackers create spam, malicious, or defamatory content that damages reputation, spreads malware, or manipulates SEO rankings. Could lead to site blacklisting or legal issues.
Likely Case
Spam content creation, unauthorized blog posts, content pollution, and potential SEO manipulation by low-privilege users.
If Mitigated
Limited to content creation only - no administrative access, file upload, or data exfiltration capabilities.
🎯 Exploit Status
Exploitation requires authenticated access with at least Subscriber role. Simple HTTP POST request to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.6 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3293669/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 4.17.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable MStore API Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate mstore-api
Restrict User Registration
allDisable new user registration to prevent attacker account creation
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Remove Subscriber role from untrusted users
- Implement web application firewall rules to block POST requests to /wp-json/mstore/*/blog/create endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → MStore API version. If version ≤ 4.17.5, vulnerable.Check Version:
wp plugin get mstore-api --field=versionVerify Fix Applied:
Confirm MStore API plugin version is 4.17.6 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/mstore/*/blog/create from Subscriber-level users
- Multiple post creations from non-author/editor roles
Network Indicators:
- HTTP POST to mstore API blog creation endpoints from unexpected user roles
SIEM Query:
source="wordpress" AND uri_path="/wp-json/mstore/*/blog/create" AND http_method="POST" AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L24
- https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L46
- https://plugins.trac.wordpress.org/changeset/3293669/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b335bd15-7af7-4d8b-ad01-b1d9e76beb53?source=cve
