CVE-2024-8242
MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload
mediumUnrestricted Upload of File with Dangerous Type
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.15.4
Patched in
1d
Time to patch
Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability
Technical Details
Affected versions
<=4.15.3PublishedSeptember 12, 2024
Last updatedSeptember 13, 2024
Affected pluginmstore-api
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.