CVE-2024-8242

Name of the Vulnerable Software and Affected Versions: MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.15.3

Description: The issue arises from missing file type validation in the update user profile() function, allowing authenticated attackers with subscriber-level access and above to upload arbitrary files (excluding PHP files) to the site's server. This could potentially lead to remote code execution. The vulnerability can be exploited by unauthenticated users if paired with a registration endpoint.

Recommendations: For versions up to, and including, 4.15.3, update to a version that includes a fix for the missing file type validation in the update user profile() function to prevent arbitrary file uploads. As a temporary workaround, consider disabling the update user profile() function until a patch is available.