CVE-2024-12042 — Unrestricted File Upload in Mstore API

CWE-434 — Unrestricted File Upload CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud

Timeline

PublishedDec 13

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud4.16.4

▶NVDinspireui/mstore_api< 4.16.5

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting)↗2024-12-13

▶

GHSA

GHSA-gjq7-3xfx-fg78: The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile pictu↗2024-12-13

▶