cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2024-12042

CVE, Research URL

CVE-2024-12042

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Dec 13, 2024
Research Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.
Affected versions
Min -, max 4.16.5.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
WP Vegas (CVE-2025-43841) , May 05, 2025
Crossword Compiler Puzzles (CVE-2025-46490) , May 05, 2025
CheckBot (CVE-2025-43840) , May 05, 2025
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder (CVE-2025-3521) , May 05, 2025
AM LottiePlayer – Vector animations for WordPress (CVE-2025-1529) , May 05, 2025