CVE-2024-8242 — Unrestricted File Upload in Mstore API

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGHNVD

CNA4.3

EPSS

1.6%

top 18.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud

Timeline

PublishedSep 13

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registrat…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud4.15.3

▶NVDinspireui/mstore_api< 4.15.4

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload↗2024-09-13

▶

GHSA

GHSA-cj63-c83g-7mc2: The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type v↗2024-09-13

▶