CVE-2024-12042

Name of the Vulnerable Software and Affected Versions MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.16.4

Description The issue is related to Stored Cross-Site Scripting via the profile picture upload functionality due to insufficient file type validation. This allows authenticated attackers with subscriber-level access and above to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.

Recommendations For versions up to, and including, 4.16.4, update to a version that includes sufficient file type validation to prevent the upload of malicious HTML files. As a temporary workaround, consider restricting access to the profile picture upload functionality to prevent exploitation. Additionally, restrict the execution of arbitrary web scripts in uploaded files to minimize the risk of Stored Cross-Site Scripting attacks.