WordPress Plugin Vulnerabilities

MStore API < 4.0.7 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers

Affects Plugins

Plugin icon
mstore-api
Fixed in 4.0.7

References

CVE
CVE-2023-45055

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Truoc Phan
Verified
No
WPVDB ID
488117c3-b032-4f33-a6c5-dd5702f9e774

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-11-15 (about 2 years ago)
Last Updated
2023-11-15 (about 2 years ago)

Other

Published
Title
Published
2024-04-16
Title
SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton
Published
2023-01-19
Title
GiveWP < 2.24.1 - Unauthenticated SQLi
Published
2016-12-19
Title
404 Redirection Manager 1.0 - SQL Injection
Published
2015-03-09
Title
All In One WP Security & Firewall <= 3.8.7 - SQL Injection
Published
2025-10-21
Title
Email Tracker < 5.3.16 - Authenticated (Admin+) SQL Injection