Description
WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.
Published: 2026-05-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits an unauthenticated attacker to send an HTTP POST request to the MStore API plugin’s REST‑API endpoint and upload any file. By uploading a PHP file with an arbitrary name the attacker can execute code on the host, giving complete control over the site. This is a classic arbitrary file upload vulnerability (CWE‑306), which directly leads to remote code execution.

Affected Systems

The vulnerability resides in the MStore API WordPress plugin, version 2.0.6. All WordPress sites running this exact plugin version are affected. No other versions are listed as affected by the CNA. The product is identified under the vendor "mstore".

Risk and Exploitability

The CVSS score of 9.3 signals a critical risk. EPSS is not reported, but the absence of authentication and the ability to upload executable files mean that an attacker with web access can compromise the server. The vulnerability is not yet in CISA’s KEV catalog. The likely attack vector is web‑based: a malicious actor submits a crafted POST to the /config_file endpoint, bypasses authentication checks, and receives server‑side execution of the uploaded file.

Generated by OpenCVE AI on May 10, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MStore API plugin to the latest available release that includes the file‑upload fix.
  • Configure the web server (or use .htaccess on Apache) to forbid execution of files in the plugin’s upload directory, especially .php and script extensions.
  • Deploy a web application firewall or WordPress security plugin that blocks or validates POST requests to the /config_file endpoint, ensuring only authorized users can upload files and that only permitted file types are accepted.

Generated by OpenCVE AI on May 10, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mstore
Mstore mstore Api
Wordpress
Wordpress wordpress
Vendors & Products Mstore
Mstore mstore Api
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.
Title WordPress MStore API 2.0.6 Arbitrary File Upload
First Time appeared Inspireui
Inspireui mstore Api
Weaknesses CWE-306
CPEs cpe:2.3:a:inspireui:mstore_api:2.0.6:*:*:*:*:*:*:*
Vendors & Products Inspireui
Inspireui mstore Api
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Inspireui Mstore Api
Mstore Mstore Api
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:23:52.341Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47933

cve-icon Vulnrichment

Updated: 2026-05-11T13:19:00.064Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.560

Modified: 2026-05-10T13:16:29.560

Link: CVE-2021-47933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:31Z

Weaknesses