CVE-2023-3201
published 2023-06-14CVE-2023-3201: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function…
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.32%
23.3th percentile
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspireui | mstore_api | <= 3.9.6 | — |
| inspireui | mstore_api_create_native_android_ios_apps_on_the_cloud | <= 3.9.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MStore API Plugin up to 3.9.6 on WordPress Order Title Update cross-site request forgery
vuldb·2026-04-10·CVSS 4.3
CVE-2023-3201 [MEDIUM] MStore API Plugin up to 3.9.6 on WordPress Order Title Update cross-site request forgery
A vulnerability was found in MStore API Plugin up to 3.9.6 on WordPress. It has been declared as problematic. This issue affects some unknown processing of the component Order Title Update. Such manipulation leads to cross-site request forgery.
This vulnerability is documented as CVE-2023-3201. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-fg8x-c2rv-v75q: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title f
ghsa_unreviewed·2023-06-14
CVE-2023-3201 [MEDIUM] CWE-352 GHSA-fg8x-c2rv-v75q: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title f
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L240https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158?source=cvehttps://plugins.trac.wordpress.org/browser/mstore-api/trunk/mstore-api.php#L240https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925048%40mstore-api&new=2925048%40mstore-api&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158?source=cve
2023-06-14
Published