Vulnerability Description
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inspireui | Mstore Api | <= 4.10.7 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-Product
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9feThird Party Advisory
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9feThird Party Advisory
FAQ
What is CVE-2023-3277?
CVE-2023-3277 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login fea...
How severe is CVE-2023-3277?
CVE-2023-3277 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-3277?
Check the references section above for vendor advisories and patch information. Affected products include: Inspireui Mstore Api.