Unknown Mstore Api vulnerabilities

CVE-2023-3077 [CRITICAL] CWE-89 CVE-2023-3077: The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using i The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

CVE-2023-3076 [CRITICAL] CWE-862 CVE-2023-3076: The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts w The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.

CVE-2023-3131 [MEDIUM] CWE-862 CVE-2023-3131: The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementin The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.

CVE-2023-3209 [LOW] CWE-352 CVE-2023-3209: The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementin The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.

CVE-2021-24148 [CRITICAL] CWE-287 CVE-2021-24148: A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authenticat A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.