CVE-2025-3438

Name of the Vulnerable Software and Affected Versions MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress versions up to, and including, 4.17.4

Description The issue is related to limited privilege escalation due to a lack of restriction of role when registering, allowing unauthenticated attackers to register with the wcfm vendor role. This role is associated with the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, and the vulnerability can only be exploited if this plugin is installed and activated.

Recommendations For versions up to, and including, 4.17.4, update to a version that includes the necessary security patches to restrict role registration. As a temporary workaround, consider restricting access to the registration process to prevent unauthenticated attackers from exploiting the lack of role restrictions.