Home

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

PUBLISHED Reserved 2025-04-07 | Published 2025-05-02 | Updated 2026-04-08 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

Any version
affected

Timeline

2025-05-01:Disclosed

Credits

Brian Sans-Souci finder

References

www.wordfence.com/...-f94b-4fcb-9b74-ecddde2bf29d?source=cve

plugins.trac.wordpress.org/...k/controllers/flutter-user.php

plugins.trac.wordpress.org/...k/controllers/flutter-user.php

plugins.trac.wordpress.org/changeset/3277790

plugins.trac.wordpress.org/changeset/3279132/

cve.org (CVE-2025-3438)

nvd.nist.gov (CVE-2025-3438)

Download JSON