cbcvebase.
CVE-2023-3277
published 2023-11-03

CVE-2023-3277: The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.89%
85.1th percentile
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.

Affected

2 ranges
VendorProductVersion rangeFixed in
inspireuimstore_api<= 4.10.7
inspireuimstore_api_create_native_android_ios_apps_on_the_cloud<= 4.10.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/api/flutter_user/apple_login
path/wp-content/plugins/mstore-api/
command{"token":"{{token}}","first_name":"{{firstname}}","last_name":"{{lastname}}"}
bytes
base64-encoded token with format: .{base64({"email":"<victim@email>"})}.  (dot-padded JWT-like structure with no signature)
  • Detect exploit attempts by monitoring POST requests to /wp-json/api/flutter_user/apple_login with a JSON body containing a 'token' field that follows the pattern .<base64_payload>. (dot-wrapped base64, no valid Apple JWT signature).
  • A successful exploitation response will contain all three fields 'wp_user_id', 'cookie', and 'user_login' in the JSON body with HTTP 200 and Content-Type application/json — use these as confirmation of account takeover.
  • Identify vulnerable WordPress installations by searching for the string /wp-content/plugins/mstore-api/ in HTTP response bodies (FOFA/PublicWWW fingerprint).
  • The vulnerability resides in the Apple login handler at controllers/flutter-user.php line 821; audit or monitor file integrity of this path in MStore API <= 4.10.7.
  • ·The exploit requires only knowledge of the target user's email address; no credentials or prior authentication are needed, making automated scanning at scale trivial.
  • ·No patch was available at time of disclosure; the Nuclei template notes 'No patch available yet; monitor for updates from the developer and apply patches as soon as they are released.'

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.