CVE-2023-3200
published 2023-06-14CVE-2023-3200: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message…
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.32%
23.3th percentile
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspireui | mstore_api | <= 3.9.6 | — |
| inspireui | mstore_api_create_native_android_ios_apps_on_the_cloud | <= 3.9.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MStore API Plugin up to 3.9.6 on WordPress Order Message Update cross-site request forgery
vuldb·2026-04-10·CVSS 4.3
CVE-2023-3200 [MEDIUM] MStore API Plugin up to 3.9.6 on WordPress Order Message Update cross-site request forgery
A vulnerability categorized as problematic has been discovered in MStore API Plugin up to 3.9.6 on WordPress. The affected element is an unknown function of the component Order Message Update. Executing a manipulation can lead to cross-site request forgery.
This vulnerability appears as CVE-2023-3200. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-f944-qwmg-97h3: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message
ghsa_unreviewed·2023-06-14
CVE-2023-3200 [MEDIUM] CWE-352 GHSA-f944-qwmg-97h3: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L248https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d?source=cvehttps://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L248https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d?source=cve
2023-06-14
Published