cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2024-7628

CVE, Research URL

CVE-2024-7628

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Aug 15, 2024
Research Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set up firebase for their account.
Affected versions
Min -, max 4.15.3.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
CheckBot (CVE-2025-43840) , May 05, 2025
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder (CVE-2025-3521) , May 05, 2025
AM LottiePlayer – Vector animations for WordPress (CVE-2025-1529) , May 05, 2025
WordPress Easy Guide (CVE-2025-46460) , May 05, 2025
Page View Count (CVE-2025-2816) , May 05, 2025