cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2024-6328

CVE, Research URL

CVE-2024-6328

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Jul 12, 2024
Research Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.
Affected versions
Min -, max 4.15.0.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder (CVE-2025-3521) , May 05, 2025
AM LottiePlayer – Vector animations for WordPress (CVE-2025-1529) , May 05, 2025
WordPress Easy Guide (CVE-2025-46460) , May 05, 2025
Page View Count (CVE-2025-2816) , May 05, 2025
Job Listings (CVE-2025-3918) , May 04, 2025