CVE-2020-36713

moderate-risk

Published 2023-06-07

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.

Do I need to act?

0.93% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Mstore Api

Affected Vendors

Inspireui

References (6)

Exploit https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api...

Third Party Advisory https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-securit...

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a3...

Exploit https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api...

Third Party Advisory https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-securit...

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a3...

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal