Description
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
Published: 2026-04-09
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Arbitrary user meta updates with the potential for privilege escalation and cross‑site scripting
Action: Patch Immediately
AI Analysis

Impact

The MStore API plugin is vulnerable to an insecure direct object reference that allows authenticated users with Subscriber level or higher to supply arbitrary meta keys and values into the user profile update endpoint. This flaw is derived from the update_user_profile() function, which decodes untrusted JSON from php://input and passes it directly to update_user_meta() without any validation. As a result, attackers can set sensitive fields such as wp_user_level, plugin authorization flags, and billing details, leading to possible privilege escalation and stored cross‑site scripting in the admin interface.

Affected Systems

All installations of the MStore API plugin for WordPress with versions 4.18.3 or earlier are affected. The plugin is developed by inspireui under the name 'MStore API – Create Native Android & iOS Apps On The Cloud'. No additional version ranges are specified beyond the stated upper limit.

Risk and Exploitability

The reported CVSS score of 4.3 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated (e.g., a logged‑in Subscriber or higher) and to supply crafted JSON in the request body. The lack of input filtering makes exploitation straightforward once authentication is achieved, but it does not allow arbitrary code execution. The risk is therefore moderate, with the primary impact being privilege escalation and potential XSS. The likelihood of exploitation is limited to environments where the plugin is active and vulnerable.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MStore API plugin to a version newer than 4.18.3 when an official patch becomes available.
  • If an update is not immediately possible, limit the meta_data parameter to a validated allow‑list of keys that the plugin is required to handle.
  • Audit and monitor changes to user meta tables, paying particular attention to wp_user_level, wp_capabilities, and plugin‑specific meta keys.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Inspireui
Inspireui mstore Api Create Native Android And Ios Apps On The Cloud
Wordpress
Wordpress wordpress
Vendors & Products Inspireui
Inspireui mstore Api Create Native Android And Ios Apps On The Cloud
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
Title MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Inspireui Mstore Api Create Native Android And Ios Apps On The Cloud
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T02:25:06.702Z

Reserved: 2026-03-04T20:45:42.536Z

Link: CVE-2026-3568

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:16:59.177

Modified: 2026-04-09T04:16:59.177

Link: CVE-2026-3568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:10Z

Weaknesses