- Description
- The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 7.3
- Impact score
- 3.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Severity
- HIGH
- security@wordfence.com
- CWE-269
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
🔴 WordPress, Privilege Escalation, #CVE-2025-3438 (Critical) https://t.co/Ght8aU4Jgj
@dailycve
6 May 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE Alert: CVE-2025-3438 - https://t.co/3dftqN4tAZ #OSINT #ThreatIntel #CyberSecurity #cve_2025_3438
@RedPacketSec
3 May 2025
67 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "4F32FF32-13F7-4BBD-B1ED-77338D03B697",
"versionEndExcluding": "4.17.5"
}
],
"operator": "OR"
}
]
}
]