CVE-2023-2734

Name of the Vulnerable Software and Affected Versions MStore API plugin for WordPress versions up to, and including, 3.9.1

Description The issue is related to authentication bypass due to insufficient verification of the user being supplied during the cart sync from mobile REST API request through the plugin. This allows unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Recommendations For MStore API plugin for WordPress versions up to, and including, 3.9.1, update to a version later than 3.9.1 to resolve the issue. As a temporary workaround, consider restricting access to the mobile REST API endpoint to minimize the risk of exploitation. Avoid using the user id in the affected API endpoint until the issue is resolved.