CVE-2026-3568

EPSS 0.03%
Veröffentlicht 09.04.2026 02:25:06
Zuletzt bearbeitet 13.04.2026 15:02:47
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to  Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.

Mögliche Gegenmaßnahme

MStore API – Create Native Android & iOS Apps On The Cloud: Update to version 4.18.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt MStore API – Create Native Android & iOS Apps On The Cloud

Version *-4.18.3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerinspireui

≫

Produkt MStore API – Create Native Android & iOS Apps On The Cloud

Default Statusunaffected

Version <= 4.18.3

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.094

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f?source=cve

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1078

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1080

https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1080

https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1012

https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1012

https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1078

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494266%40mstore-api&new=3494266%40mstore-api&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3568

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3568

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3568

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3568