MStore API Missing Authorization Vulnerability Allows Unauthorized Post Creation

A vulnerability exists in the MStore API WordPress plugin, specifically in the 'Create Native Android & iOS Apps On The Cloud' version 4.17.5 and prior. The issue arises from a lack of proper capability checks in the 'create_blog' function, which allows authenticated users with Subscriber-level access or higher to create new posts. This unauthorized data modification could be exploited by users who should not have the ability to publish content.

Impact

Exploitation of this vulnerability allows for unauthorized post creation by authenticated users with Subscriber-level access or higher.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or above can send a request to the 'create_blog' endpoint without the necessary authorization. The request can include a title, content, author, date, status, categories, token, and image. The absence of a proper capability check allows the user to create a post, bypassing the intended restrictions.

Remediation

Users are advised to update the MStore API WordPress plugin to version 4.17.6 or later, where this vulnerability has been patched.