CVE-2023-3076

The MStore API WordPress plugin, specifically versions before 3.9.9, is affected by a security issue that allows visitors to create user accounts with a role of their choice via the wholesale REST API endpoint. This issue is only exploitable if the site owner has paid to access the plugin's pro features. An exploit is available, and tools such as MSAPer can be used to automatically check and exploit this issue, allowing for unauthenticated privilege escalation, including mass addition of admin users and PHP file upload. The affected versions are all MStore API WordPress plugin versions before 3.9.9. The exploit is available on GitHub: https://github.com/im-hanzou/MSAPer #MStoreAPI #WordPress #UnauthenticatedPrivilegeEscalation #MSAPer #OffensiveSecurity #Exploit #PrivilegeEscalation #RESTAPI #WordPressPlugin