Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
Published: 2025-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized post creation by subscribers
Action: Apply Patch
AI Analysis

Impact

Missing capability checks on the create_blog function allow any authenticated user with Subscriber-level access or higher to create posts in WordPress. This flaw can be used to inject arbitrary content into the site, potentially spreading misinformation, phishing, or spam, which undermines content integrity. The weakness is a classic authorization bypass (CWE-862).

Affected Systems

The MStore API – Create Native Android & iOS Apps On The Cloud plugin by InspireUI on WordPress is affected in all versions up to and including 4.17.5. Versions beyond 4.17.5 remove the flaw.

Risk and Exploitability

The vulnerability is scored at CVSS 4.3, indicating low to moderate severity. The EPSS score is under 1%, suggesting a small current exploitation probability. It is not listed in the CISA KEV catalog. Attackers would need to be authenticated; the vector is an internal, user‑level context. Overall risk to a site remains modest, but the potential for unwanted content justifies prompt action.

Generated by OpenCVE AI on April 20, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MStore API plugin to version 4.17.6 or later, which includes the missing capability check.
  • If an upgrade is not immediately possible, restrict Subscriber roles so they lack the "publish_posts" capability, effectively preventing unauthorized blog creation.
  • If neither upgrade nor capability changes are viable, consider disabling or removing the create_blog endpoint via custom code or a security plugin until a fix is applied.

Generated by OpenCVE AI on April 20, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28072 The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
History

Mon, 07 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Inspireui
Inspireui mstore Api
CPEs cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
Vendors & Products Inspireui
Inspireui mstore Api

Tue, 27 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
Title MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Inspireui Mstore Api
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:37.069Z

Reserved: 2025-05-14T11:50:47.393Z

Link: CVE-2025-4683

cve-icon Vulnrichment

Updated: 2025-05-27T19:54:04.927Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-27T03:15:24.040

Modified: 2025-07-07T15:55:52.187

Link: CVE-2025-4683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses