CVE-2023-3201 — Cross-Site Request Forgery in Mstore API Create Native Android IOS Apps ON THE Cloud

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 72.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud Inspireui Mstore API

Timeline

PublishedJun 14

Latest updateApr 10

Description

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDinspireui/mstore_api3.9.6

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud3.9.6

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

MStore API Plugin up to 3.9.6 on WordPress Order Title Update cross-site request forgery↗2026-04-10

▶

GHSA

GHSA-fg8x-c2rv-v75q: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title f↗2023-06-14

▶

CVEList

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Title Update↗2023-06-14

▶