Primary

Context

MStore API WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

Patched

A limited privilege escalation vulnerability has been identified in the MStore API WordPress plugin, specifically in versions through 4.17.4. The issue arises from inadequate role restrictions during the registration process, allowing unauthenticated users to register as 'wcfm_vendor' roles. This vulnerability is exploitable only if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is active.

Impact

Exploitation of this vulnerability allows for unauthorized users to gain vendor roles, potentially leading to unauthorized access or actions within the marketplace.

Reproduction

To reproduce this vulnerability, send a POST request to the '/register' endpoint of the MStore API plugin. Include a 'role' parameter set to 'wcfm_vendor'. This request can be made without authentication, taking advantage of the lack of role validation in versions prior to 4.17.4.

Remediation

Users are advised to update the MStore API WordPress plugin to version 4.17.5 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

8.6

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.3

exploitability

8.6

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MStore API WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

MStore API

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating