CVE-2023-3277
MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
| CWE | CWE-288 |
| Vendor | inspireui |
| Product | mstore api – create native android & ios apps on the cloud |
| Published | Nov 3, 2023 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for inspireui mstore api – create native android & ios apps on the cloud
Be the first to know when new critical vulnerabilities affecting inspireui mstore api – create native android & ios apps on the cloud are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
inspireui / MStore API – Create Native Android & iOS Apps On The Cloud
0 ≤ 4.10.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail=
Credits
Truoc Phan An Đặng