Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
Published: 2025-05-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Limited Privilege Escalation
Action: Patch
AI Analysis

Impact

The MStore API plugin allows an attacker to create a user with the wcfm_vendor role without authentication. This role grants vendor‑level access in the WCFM Marketplace plugin, enabling the attacker to perform vendor‑specific actions. The flaw is a lack of role restriction during registration, which results in a moderate‑severity privilege escalation vulnerability (CWE-269).

Affected Systems

WordPress sites running the MStore API – Create Native Android & iOS Apps On The Cloud plugin version 4.17.4 or earlier are affected, but only when the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is also installed and activated. The vulnerability is specific to the InspireUI MStore API product.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk. The very low EPSS score (<1%) suggests limited current exploitation activity, and the vulnerability is not listed in CISA KEV. Exploitation requires an unauthenticated attacker who can submit a registration request to the vulnerable plugin on a site that also hosts the WCFM Marketplace plugin. Once achieved, the attacker gains vendor‑level privileges, potentially allowing further manipulation within the plugin ecosystem.

Generated by OpenCVE AI on April 20, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MStore API plugin to version 4.17.5 or later, which contains the necessary role‑restriction fix.
  • If a site does not require multi‑vendor capabilities, disable or uninstall the WCFM Marketplace plugin to eliminate the attack surface.
  • Audit existing user accounts and ensure that the wcfm_vendor role cannot be assigned through public registration; enforce strict role validation in the plugin code if possible.

Generated by OpenCVE AI on April 20, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13296 The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
History

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Inspireui
Inspireui mstore Api
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
Vendors & Products Inspireui
Inspireui mstore Api

Fri, 02 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 02 May 2025 05:45:00 +0000

Type Values Removed Values Added
Description The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
Title MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Inspireui Mstore Api
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:12.414Z

Reserved: 2025-04-07T21:38:46.671Z

Link: CVE-2025-3438

cve-icon Vulnrichment

Updated: 2025-05-02T15:47:30.957Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-02T06:15:48.020

Modified: 2025-05-06T15:35:14.563

Link: CVE-2025-3438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses