{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3438", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T21:38:46.671Z", "datePublished": "2025-05-02T05:22:34.308Z", "dateUpdated": "2026-04-08T17:19:12.414Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:12.414Z"}, "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.17.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3."}], "title": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277790"}, {"url": "https://plugins.trac.wordpress.org/changeset/3279132/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-05-01T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T15:47:03.172962Z", "id": "CVE-2025-3438", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T15:47:36.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T15:47:03.172962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T15:47:30.957Z"}}], "cna": {"title": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.17.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277790"}, {"url": "https://plugins.trac.wordpress.org/changeset/3279132/"}], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-02T05:22:34.308Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3438", "state": "PUBLISHED", "dateUpdated": "2025-05-02T15:47:36.691Z", "dateReserved": "2025-04-07T21:38:46.671Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T05:22:34.308Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4F32FF32-13F7-4BBD-B1ED-77338D03B697", "versionEndExcluding": "4.17.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3."}, {"lang": "es", "value": "El complemento MStore API \u2013 Create Native Android &amp; iOS Apps On The Cloud para WordPress es vulnerable a una escalada de privilegios limitada en todas las versiones hasta la 4.17.4 incluida. Esto se debe a la falta de restricci\u00f3n de roles al registrarse. Esto permite que atacantes no autenticados se registren con el rol 'wcfm_vendor', que es un rol de vendedor de tienda en el complemento WCFM Marketplace \u2013 Multivendor Marketplace para WooCommerce para WordPress. Esta vulnerabilidad solo se puede explotar si el plugin WCFM Marketplace \u2013 Multivendor Marketplace para WooCommerce est\u00e1 instalado y activado. La vulnerabilidad se corrigi\u00f3 parcialmente en la versi\u00f3n 4.17.3."}], "id": "CVE-2025-3438", "lastModified": "2025-05-06T15:35:14.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-02T06:15:48.020", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3277790"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3279132/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:01:56.432594+00:00", "value": {"mitigation_remediation": ["Update the MStore API plugin to version 4.17.5 or later, which contains the necessary role\u2011restriction fix.", "If a site does not require multi\u2011vendor capabilities, disable or uninstall the WCFM Marketplace plugin to eliminate the attack surface.", "Audit existing user accounts and ensure that the wcfm_vendor role cannot be assigned through public registration; enforce strict role validation in the plugin code if possible."], "summary": {"action": "Patch", "impact": "Limited Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites running the MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin version 4.17.4 or earlier are affected, but only when the WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin is also installed and activated. The vulnerability is specific to the InspireUI MStore API product.", "description_and_impact": "The MStore API plugin allows an attacker to create a user with the wcfm_vendor role without authentication. This role grants vendor\u2011level access in the WCFM Marketplace plugin, enabling the attacker to perform vendor\u2011specific actions. The flaw is a lack of role restriction during registration, which results in a moderate\u2011severity privilege escalation vulnerability (CWE-269).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate risk. The very low EPSS score (<1%) suggests limited current exploitation activity, and the vulnerability is not listed in CISA KEV. Exploitation requires an unauthenticated attacker who can submit a registration request to the vulnerable plugin on a site that also hosts the WCFM Marketplace plugin. Once achieved, the attacker gains vendor\u2011level privileges, potentially allowing further manipulation within the plugin ecosystem."}}}}, "created": "2026-04-20T23:15:06.301313+00:00", "updated": "2026-04-20T23:15:06.301325+00:00", "vendors": []}