CVE-2025-3438

MEDIUM 6.5

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

CWE	CWE-269
Vendor	inspireui
Product	mstore api – create native android & ios apps on the cloud
Published	May 2, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for inspireui mstore api – create native android & ios apps on the cloud

Be the first to know when new medium vulnerabilities affecting inspireui mstore api – create native android & ios apps on the cloud are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

inspireui / MStore API – Create Native Android & iOS Apps On The Cloud

0 ≤ 4.17.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Brian Sans-Souci