cleantalk
Vulnerabilities and Security Researches

MStore API, CVE-2025-3438

CVE, Research URL

CVE-2025-3438

Home page URL

Security reports for MStore API

Application

MStore API

Published on
May 02, 2025
Research Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
Affected versions
Min -, max 4.17.5.
Status
vulnerable
Previous vulnerability researches
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2025-3102) , Apr 10, 2025
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2024-5485) , Jun 07, 2024
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2023-49749) , Jun 07, 2024
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2025-27007) , May 03, 2025
New vulnerability
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025
Subpage List (CVE-2025-4168) , May 04, 2025
OTP-less one tap Sign in (CVE-2025-3746) , May 04, 2025
Advanced Reorder Image Text Slider (CVE-2025-4188) , May 04, 2025
MStore API (CVE-2025-3438) , May 04, 2025