Insecure Direct Object Reference in MStore API for WordPress
CVE-2026-3568

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Mstore Api – Create Native Android & iOS Apps On The Cloud
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-3568?

The MStore API plugin for WordPress is susceptible to an Insecure Direct Object Reference due to improper handling of the 'meta_data' JSON parameter in the update_user_profile() function. This vulnerability allows authenticated attackers with Subscriber-level access and above to manipulate arbitrary user meta fields, potentially modifying sensitive data such as user levels and specific plugin authorizations without adequate validation or sanitization. Attackers could exploit this to perform unauthorized actions, including privilege escalation and possibly introducing Stored XSS vulnerabilities in admin contexts.

Affected Version(s)

MStore API – Create Native Android & iOS Apps On The Cloud 0 <= 4.18.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mstore-api/tru...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-3568 Data

JSON