Vulnerabilities (CVE)

Filtered by vendor Inspireui Subscribe
Filtered by product Mstore Api
Total 23 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-36713 1 Inspireui 1 Mstore Api 2024-11-21 N/A 9.8 CRITICAL
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.
CVE-2024-8242 1 Inspireui 1 Mstore Api 2024-09-18 N/A 8.8 HIGH
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.
CVE-2024-8269 1 Inspireui 1 Mstore Api 2024-09-18 N/A 6.5 MEDIUM
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.