cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2024-8242

CVE, Research URL

CVE-2024-8242

Home page URL

Security reports for MStore API

Application

MStore API

Published on
Sep 13, 2024
Research Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.
Affected versions
Min -, max 4.15.4.
Status
vulnerable
Previous vulnerability researches
MStore API (CVE-2024-6328) , Jul 12, 2024
MStore API (CVE-2024-12042) , Dec 15, 2024
MStore API (CVE-2024-7628) , Aug 16, 2024
MStore API (CVE-2025-3438) , May 04, 2025
MStore API (CVE-2021-24148) , Jun 07, 2024
New vulnerability
WordPress Easy Guide (CVE-2025-46460) , May 05, 2025
Page View Count (CVE-2025-2816) , May 05, 2025
Job Listings (CVE-2025-3918) , May 04, 2025
Popups, Email Popup, Exit Intent Pop Up, Upsell Pop Up, Cart Abandonment Popups, Contact Form Builder – Personizely (CVE-2025-3779) , May 04, 2025
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025