WordPress Plugin Vulnerabilities

MStore API < 2.1.6 - Unauthenticated Arbitrary Account Creation/Edition

Description

The MStore API WordPress plugin was affected by an Unauthenticated Arbitrary Account Creation/Edition security vulnerability.

Affects Plugins

Plugin icon
mstore-api
Fixed in 2.1.6

References

CVE
CVE-2020-36713
URL
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet.com)
Verified
No
WPVDB ID
fc7ecfd3-a53d-4ea7-8ef3-21d483d8a453

Timeline

Publicly Published
2020-03-11 (about 5 years ago)
Added
2020-03-11 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2026-01-22
Title
Hospital Doctor Directory <= 1.3.9 - Subscriber+ Privilege Escalation
Published
2024-09-14
Title
Login with phone number < 1.7.50 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Published
2025-04-24
Title
Service Finder Bookings < 6.0 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'
Published
2026-01-05
Title
Download Manager < 3.3.41 - Unauthenticated Limited Privilege Escalation
Published
2020-02-17
Title
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation