CVE-2024-11179SQL Injection in Mstore API

CWE-89SQL Injection3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 40.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Inspireui Mstore APIInspireui Mstore API Create Native Android IOS Apps ON THE Cloud
Timeline
PublishedNov 20

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sen

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDinspireui/mstore_api< 4.15.8

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
MStore API <= 4.15.7 - Authenticated (Subscriber+) SQL Injection2024-11-20
GHSA
GHSA-2p5q-6jvg-jx9f: The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in2024-11-20
CVE-2024-11179 — SQL Injection in Inspireui Mstore API | cvebase