CVE-2023-3198 — Cross-Site Request Forgery in Mstore API Create Native Android IOS Apps ON THE Cloud

CWE-352 — Cross-Site Request Forgery CWE-416 — Use After Free5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 71.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud Inspireui Mstore API

Timeline

PublishedJun 14

Latest updateApr 10

Description

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDinspireui/mstore_api3.9.6

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud3.9.6

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

MStore API Plugin up to 3.9.6 on WordPress Status Update cross-site request forgery↗2026-04-10

▶

GHSA

GHSA-cqff-8mr6-7h9r: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_mess↗2023-06-14

▶

CVEList

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Status Update↗2023-06-14

▶

📋Vendor Advisories

Red Hat

kernel: mptcp: use the workqueue to destroy unaccepted sockets↗2025-05-02

▶