CVE-2025-4683 — Missing Authorization in Mstore API

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 57.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inspireui Mstore API Inspireui Mstore API Create Native Android IOS Apps ON THE Cloud

Timeline

PublishedMay 27

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5inspireui/mstore_api_create_native_android_ios_apps_on_the_cloud4.17.5

▶NVDinspireui/mstore_api< 4.17.6

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-w349-f9mw-226w: The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missin↗2025-05-27

▶

CVEList

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation↗2025-05-27

▶