MStore API Insecure Direct Object Reference Vulnerability in WordPress

A vulnerability exists in the MStore API plugin for WordPress, affecting all versions up to and including 4.18.3. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Subscriber-level access and above to manipulate arbitrary user meta fields on their own accounts. This vulnerability arises because the 'meta_data' JSON parameter is processed without proper validation or sanitization, enabling the modification of sensitive fields such as wp_user_level, which could be exploited to escalate privileges to administrator-level checks. The vulnerability is located in the 'update_user_profile' function within 'controllers/flutter-user.php'.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user meta data, including sensitive information that could be used to escalate privileges or execute cross-site scripting attacks.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the 'api/flutter_user/update_user_profile' endpoint. The request must include the 'meta_data' parameter with arbitrary keys and values, bypassing the lack of validation or sanitization. This can be done using a tool like Postman or through custom scripts that automate the process.

Remediation

Users are advised to update the MStore API plugin to version 4.18.4 or later, where this vulnerability has been patched.