CVE-2023-3203 — Cross-Site Request Forgery in Mstore API Create Native Android IOS Apps ON THE Cloud

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud Inspireui Mstore API

Timeline

PublishedJun 14

Latest updateApr 10

Description

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDinspireui/mstore_api3.9.6

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud3.9.6

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

MStore API Plugin up to 3.9.6 on WordPress Product Limit Update cross-site request forgery↗2026-04-10

▶

GHSA

GHSA-fw4w-m4pp-mgp9: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product fun↗2023-06-14

▶

CVEList

MStore API <= 3.9.6 - Cross-Site Request Forgery to Product Limit Update↗2023-06-14

▶