CVE-2023-3198
published 2023-06-14CVE-2023-3198: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message…
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.32%
23.3th percentile
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspireui | mstore_api | <= 3.9.6 | — |
| inspireui | mstore_api_create_native_android_ios_apps_on_the_cloud | <= 3.9.6 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MStore API Plugin up to 3.9.6 on WordPress Status Update cross-site request forgery
vuldb·2026-04-10·CVSS 4.3
CVE-2023-3198 [MEDIUM] MStore API Plugin up to 3.9.6 on WordPress Status Update cross-site request forgery
A vulnerability was found in MStore API Plugin up to 3.9.6 on WordPress. It has been classified as problematic. This vulnerability affects unknown code of the component Status Update Handler. This manipulation causes cross-site request forgery.
This vulnerability is registered as CVE-2023-3198. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-cqff-8mr6-7h9r: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_mess
ghsa_unreviewed·2023-06-14
CVE-2023-3198 [MEDIUM] CWE-352 GHSA-cqff-8mr6-7h9r: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_mess
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Red Hat
kernel: mptcp: use the workqueue to destroy unaccepted sockets
vendor_redhat·2025-05-02·CVSS 7.8
CVE-2023-53072 [HIGH] CWE-416 kernel: mptcp: use the workqueue to destroy unaccepted sockets
kernel: mptcp: use the workqueue to destroy unaccepted sockets
In the Linux kernel, the following vulnerability has been resolved:
mptcp: use the workqueue to destroy unaccepted sockets
Christoph reported a UaF at token lookup time after having
refactored the passive socket initialization part:
BUG: KASAN: use-after-free in __token_bucket_busy+0x253/0x260
Read of size 4 at addr ffff88810698d5b0 by task syz-executor653/3198
CPU: 1 PID: 3198 Comm: syz-executor653 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x6e/0x91
print_report+0x16a/0x46f
kasan_report+0xad/0x130
__token_bucket_busy+0x253/0x260
mptcp_token_new_connect+0x13d/0x4
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L264https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b?source=cvehttps://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L264https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b?source=cve
2023-06-14
Published