Authentication Bypass Vulnerability in MStore API Plugin
CVE-2024-6328

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Mstore Api – Create Native Android & iOS Apps On The Cloud
Vendor: CVE Published:; 12 July 2024

What is CVE-2024-6328?

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress exhibits a serious vulnerability that allows unauthenticated attackers to bypass authentication controls. This flaw is attributed to poor verification processes related to the 'phone' parameter within the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. As a result, attackers can gain access as any user, including administrators, if they possess the requisite email address or phone number. Furthermore, when an unauthorized email address is provided, the system erroneously creates a new user account with default permissions, regardless of the status of registration settings.

Affected Version(s)

MStore API – Create Native Android & iOS Apps On The Cloud * <= 4.14.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mstore-api/tru...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2024
Vulnerability Reserved
Jun 25, 2024

Credit

Truoc Phan

Wordpress

What is CVE-2024-6328?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit