cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2023-3198

CVE, Research URL

CVE-2023-3198

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Jun 14, 2023
Research Description
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 3.9.6.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
WordPress Easy Guide (CVE-2025-46460) , May 05, 2025
Page View Count (CVE-2025-2816) , May 05, 2025
Job Listings (CVE-2025-3918) , May 04, 2025
Popups, Email Popup, Exit Intent Pop Up, Upsell Pop Up, Cart Abandonment Popups, Contact Form Builder – Personizely (CVE-2025-3779) , May 04, 2025
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025