CVE-2025-3438

The MStore API  Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace  Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace  Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
WordfenceCNA
6.5 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
inspireuimstore_api
𝑥
< 4.17.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413
https://plugins.trac.wordpress.org/changeset/3277790
https://plugins.trac.wordpress.org/changeset/3279132/
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve