CVE-2024-7628

Name of the Vulnerable Software and Affected Versions MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.15.2

Description The issue is due to the use of loose comparison in the verify id token function, making it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires Firebase to be configured on the website and the user to have set up Firebase for their account.

Recommendations For versions up to, and including, 4.15.2, consider disabling the verify id token function until a patch is available to prevent authentication bypass. Restrict access to the plugin's functionality that relies on Firebase configuration to minimize the risk of exploitation. Avoid using email addresses or phone numbers associated with @flutter.io in user accounts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.