CVE-2024-6328

Name of the Vulnerable Software and Affected Versions MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.14.7

Description The issue is due to insufficient verification on the phone parameter of the firebase sms login and firebase sms login v2 functions. This allows unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.

Recommendations For versions up to, and including, 4.14.7, update to a version later than 4.14.7 to resolve the issue. As a temporary workaround, consider disabling the firebase sms login and firebase sms login v2 functions until a patch is available. Restrict access to the phone parameter to minimize the risk of exploitation.