Authentication Bypass Vulnerability in MStore API Plugin
CVE-2024-6328

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Mstore Api – Create Native Android & iOS Apps On The Cloud
Vendor
CVE Published:
12 July 2024

Summary

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress exhibits a serious vulnerability that allows unauthenticated attackers to bypass authentication controls. This flaw is attributed to poor verification processes related to the 'phone' parameter within the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. As a result, attackers can gain access as any user, including administrators, if they possess the requisite email address or phone number. Furthermore, when an unauthorized email address is provided, the system erroneously creates a new user account with default permissions, regardless of the status of registration settings.

Affected Version(s)

MStore API – Create Native Android & iOS Apps On The Cloud * <= 4.14.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/mstore-api/tru...
https://plugins.trac.wordpress.org/browser/mstore-api/tru...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Truoc Phan
.