WordPress Plugin Vulnerabilities

MStore API – Create Native Android & iOS Apps On The Cloud < 4.15.4 - Unauthorized User Registration

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.

Affects Plugins

Plugin icon
mstore-api
Fixed in 4.15.4

References

CVE
CVE-2024-8269
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/59c5b6e7-74b0-430d-8b4a-5a42220f3ec9

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.3 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
0b4b6754-0e8f-455f-bf80-5043a809c8e7

Timeline

Publicly Published
2024-09-12 (about 1 year ago)
Added
2024-09-12 (about 1 year ago)
Last Updated
2024-09-13 (about 1 year ago)

Other

Published
Title
Published
2024-10-31
Title
Multiple Page Generator Plugin – MPG < 4.0.2 - Missing Authorization
Published
2019-07-17
Title
Coming Soon Page & Maintenance Mode < 1.8.2 - Arbitrary Settings Reset
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Published
2021-10-05
Title
Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal
Published
2020-08-04
Title
CMP - Coming Soon & Maintenance < 3.8.2 - Improper Access Controls on AJAX Calls