{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3568", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T20:45:42.536Z", "datePublished": "2026-04-09T02:25:06.702Z", "dateUpdated": "2026-04-09T12:59:11.618Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:06.702Z"}, "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.18.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable."}], "title": "MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1078"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1080"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1080"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1078"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494266%40mstore-api&new=3494266%40mstore-api&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-05T01:27:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T12:59:03.231688Z", "id": "CVE-2026-3568", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T12:59:11.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3568", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T12:59:03.231688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T12:59:07.451Z"}}], "cna": {"title": "MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "inspireui", "product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.18.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-05T01:27:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1078"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1080"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1080"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1012"}, {"url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1078"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494266%40mstore-api&new=3494266%40mstore-api&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:06.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3568", "state": "PUBLISHED", "dateUpdated": "2026-04-09T12:59:11.618Z", "dateReserved": "2026-03-04T20:45:42.536Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-09T02:25:06.702Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable."}], "id": "CVE-2026-3568", "lastModified": "2026-04-24T18:04:28.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T04:16:59.177", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1012"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1078"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1080"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1012"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1078"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1080"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494266%40mstore-api&new=3494266%40mstore-api&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.18.3]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "MStore API \u2013 Create Native Android & iOS Apps On The Cloud", "source": "cna", "vendor": "inspireui"}, "product": "mstore_api_create_native_android_and_ios_apps_on_the_cloud", "vendor": "inspireui"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T04:21:40.963714+00:00", "value": {"mitigation_remediation": ["Upgrade the MStore API plugin to a version newer than 4.18.3 when an official patch becomes available.", "If an update is not immediately possible, limit the meta_data parameter to a validated allow\u2011list of keys that the plugin is required to handle.", "Audit and monitor changes to user meta tables, paying particular attention to wp_user_level, wp_capabilities, and plugin\u2011specific meta keys.\n"], "summary": {"action": "Patch Immediately", "impact": "Arbitrary user meta updates with the potential for privilege escalation and cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "All installations of the MStore API plugin for WordPress with versions 4.18.3 or earlier are affected. The plugin is developed by inspireui under the name 'MStore API \u2013 Create Native Android & iOS Apps On The Cloud'. No additional version ranges are specified beyond the stated upper limit.\n", "description_and_impact": "The MStore API plugin is vulnerable to an insecure direct object reference that allows authenticated users with Subscriber level or higher to supply arbitrary meta keys and values into the user profile update endpoint. This flaw is derived from the update_user_profile() function, which decodes untrusted JSON from php://input and passes it directly to update_user_meta() without any validation. As a result, attackers can set sensitive fields such as wp_user_level, plugin authorization flags, and billing details, leading to possible privilege escalation and stored cross\u2011site scripting in the admin interface.\n", "risk_and_exploitability": "The reported CVSS score of 4.3 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated (e.g., a logged\u2011in Subscriber or higher) and to supply crafted JSON in the request body. The lack of input filtering makes exploitation straightforward once authentication is achieved, but it does not allow arbitrary code execution. The risk is therefore moderate, with the primary impact being privilege escalation and potential XSS. The likelihood of exploitation is limited to environments where the plugin is active and vulnerable.\n"}}}}, "created": "2026-04-09T08:15:44.102959+00:00", "updated": "2026-04-09T08:25:10.686827+00:00", "vendors": ["inspireui", "inspireui$PRODUCT$mstore_api_create_native_android_and_ios_apps_on_the_cloud", "wordpress", "wordpress$PRODUCT$wordpress"]}