Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation.

This issue affects MStore API: from n/a through 4.18.4.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows an attacker to exploit the password recovery mechanism to gain unauthorized access. The flaw is an example of CWE-288: Improper Authentication. By manipulating the alternate authentication channel, an attacker can authenticate as a valid user without knowing the correct credentials, potentially compromising account integrity and confidentiality.

Affected Systems

The issue affects WordPress installations running the MStore API plugin from any released version up to and including 4.18.4. Users should review the plugin version on their site to determine exposure.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no widespread known exploitation. The likely attack vector involves triggering password recovery on a WordPress site, exploiting the alternate authentication path to obtain access. Addressing this flaw is essential to preserve proper user authentication controls.

Generated by OpenCVE AI on June 18, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Update the WordPress MStore API Plugin to the latest available version (at least 4.19.0).


OpenCVE Recommended Actions

  • Update the FluxBuilder MStore API Plugin to version 4.19.0 or later.
  • If an update cannot be applied immediately, temporarily disable the password recovery feature or restrict access to the recovery endpoint.
  • Enforce strong passwords for all user accounts and enable two‑factor authentication to reduce the risk of unauthorized access.

Generated by OpenCVE AI on June 18, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Fluxbuilder
Fluxbuilder mstore Api
Wordpress
Wordpress wordpress
Vendors & Products Fluxbuilder
Fluxbuilder mstore Api
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4.
Title WordPress MStore API plugin <= 4.18.4 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Fluxbuilder Mstore Api
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:15:18.655Z

Reserved: 2026-06-16T09:21:46.612Z

Link: CVE-2026-54817

cve-icon Vulnrichment

Updated: 2026-06-17T14:14:54.538Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel