{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4683", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-14T11:50:47.393Z", "datePublished": "2025-05-27T01:48:48.377Z", "dateUpdated": "2026-04-08T17:16:37.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:37.069Z"}, "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.17.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts."}], "title": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b335bd15-7af7-4d8b-ad01-b1d9e76beb53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L46"}, {"url": "https://plugins.trac.wordpress.org/changeset/3293669/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-05-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-26T11:27:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T19:53:56.060631Z", "id": "CVE-2025-4683", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T19:54:10.468Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-27T19:53:56.060631Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T19:54:04.927Z"}}], "cna": {"title": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.17.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-09T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-26T11:27:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b335bd15-7af7-4d8b-ad01-b1d9e76beb53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L46"}, {"url": "https://plugins.trac.wordpress.org/changeset/3293669/"}], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:37.069Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4683", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:37.069Z", "dateReserved": "2025-05-14T11:50:47.393Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-27T01:48:48.377Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "13E79BE0-E1CD-43CA-9E61-FC2ECA1C1ECE", "versionEndExcluding": "4.17.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts."}, {"lang": "es", "value": "El complemento MStore API \u2013 Create Native Android &amp; iOS Apps On The Cloud para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de comprobaci\u00f3n de capacidad en la funci\u00f3n create_blog en todas las versiones hasta la 4.17.5 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, creen nuevas publicaciones."}], "id": "CVE-2025-4683", "lastModified": "2025-07-07T15:55:52.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-05-27T03:15:24.040", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L24"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.17.5/controllers/helpers/blog-helper.php#L46"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3293669/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b335bd15-7af7-4d8b-ad01-b1d9e76beb53?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:45:26.372468+00:00", "value": {"mitigation_remediation": ["Upgrade the MStore API plugin to version 4.17.6 or later, which includes the missing capability check.", "If an upgrade is not immediately possible, restrict Subscriber roles so they lack the \"publish_posts\" capability, effectively preventing unauthorized blog creation.", "If neither upgrade nor capability changes are viable, consider disabling or removing the create_blog endpoint via custom code or a security plugin until a fix is applied."], "summary": {"action": "Apply Patch", "impact": "Unauthorized post creation by subscribers"}, "threat_synthesis": {"affected_systems": "The MStore API \u2013 Create Native Android & iOS Apps On The Cloud plugin by InspireUI on WordPress is affected in all versions up to and including 4.17.5. Versions beyond 4.17.5 remove the flaw.", "description_and_impact": "Missing capability checks on the create_blog function allow any authenticated user with Subscriber-level access or higher to create posts in WordPress. This flaw can be used to inject arbitrary content into the site, potentially spreading misinformation, phishing, or spam, which undermines content integrity. The weakness is a classic authorization bypass (CWE-862).", "risk_and_exploitability": "The vulnerability is scored at CVSS 4.3, indicating low to moderate severity. The EPSS score is under 1%, suggesting a small current exploitation probability. It is not listed in the CISA KEV catalog. Attackers would need to be authenticated; the vector is an internal, user\u2011level context. Overall risk to a site remains modest, but the potential for unwanted content justifies prompt action."}}}}, "created": "2026-04-20T23:00:14.115159+00:00", "updated": "2026-04-20T23:00:14.115191+00:00", "vendors": []}