Inspireui Mstore Api vulnerabilities

CVE-2023-3201 [MEDIUM] CWE-352 CVE-2023-3201: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a li

CVE-2023-3203 [MEDIUM] CWE-352 CVE-2023-3203: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administ

CVE-2023-3198 [MEDIUM] CWE-352 CVE-2023-3198: The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicki

CVE-2020-36713 [CRITICAL] CWE-288 CVE-2020-36713: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate pri

CVE-2023-2733 [CRITICAL] CWE-288 CVE-2023-2733: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such

CVE-2023-2732 [CRITICAL] CWE-288 CVE-2023-2732: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an

CVE-2023-2734 [CRITICAL] CWE-288 CVE-2023-2734: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site,

CVE-2021-24148 [CRITICAL] CWE-287 CVE-2021-24148: A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authenticat A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.