CVE-2023-3076

high-risk
Published 2023-07-10

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.

Do I need to act?

!
29.2% chance of exploitation in next 30 days
EPSS score — higher than 71% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Inspireui

References (2)

Exploit https://wpscan.com/vulnerability/ac662436-29d7-4ea6-84e1-f9e229b44f5b
Exploit https://wpscan.com/vulnerability/ac662436-29d7-4ea6-84e1-f9e229b44f5b
52
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 15/34 · Moderate
Exposure 5/34 · Minimal