CVE-2023-3202 — Cross-Site Request Forgery in Mstore API Create Native Android IOS Apps ON THE Cloud

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud Inspireui Mstore API

Timeline

PublishedJul 12

Description

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDinspireui/mstore_api3.9.6

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud3.9.6

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

MStore API <= 3.9.6 - Cross-Site Request Forgery to Firebase Server Key Update↗2023-07-12

▶

GHSA

GHSA-w69v-wc99-wc9q: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_k↗2023-07-12

▶