cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2023-3201

CVE, Research URL

CVE-2023-3201

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Jun 14, 2023
Research Description
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 3.9.7.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
Best Posts Summary (CVE-2025-39374) , May 05, 2025
Author Box After Posts (CVE-2025-46263) , May 05, 2025
WP Vegas (CVE-2025-43841) , May 05, 2025
Crossword Compiler Puzzles (CVE-2025-46490) , May 05, 2025
CheckBot (CVE-2025-43840) , May 05, 2025