Impact
Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows an attacker to exploit the password recovery mechanism to gain unauthorized access. The flaw is an example of CWE-288: Improper Authentication. By manipulating the alternate authentication channel, an attacker can authenticate as a valid user without knowing the correct credentials, potentially compromising account integrity and confidentiality.
Affected Systems
The issue affects WordPress installations running the MStore API plugin from any released version up to and including 4.18.4. Users should review the plugin version on their site to determine exposure.
Risk and Exploitability
The CVSS score of 6.5 indicates a medium‑severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no widespread known exploitation. The likely attack vector involves triggering password recovery on a WordPress site, exploiting the alternate authentication path to obtain access. Addressing this flaw is essential to preserve proper user authentication controls.
OpenCVE Enrichment