cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2023-3202

CVE, Research URL

CVE-2023-3202

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Jul 12, 2023
Research Description
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 4.0.2.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
Author Box After Posts (CVE-2025-46263) , May 05, 2025
WP Vegas (CVE-2025-43841) , May 05, 2025
Crossword Compiler Puzzles (CVE-2025-46490) , May 05, 2025
CheckBot (CVE-2025-43840) , May 05, 2025
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder (CVE-2025-3521) , May 05, 2025