PT-2025-47778 · WordPress+1 · Mstoreapp Mobile App Wordpress Plugin+1
Khaled Alenazi
·
Published
2025-11-21
·
Updated
2025-11-21
·
CVE-2025-11127
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Mstoreapp Mobile App WordPress plugin versions through 2.08
Mstoreapp Mobile Multivendor versions through 9.0.1
Description
The plugins do not properly validate user identity when an AJAX action is used. This allows unauthenticated users to obtain a valid session for any user if they know the user's email address. The affected API endpoint is not specified. The vulnerable parameter is the
email address used to retrieve user sessions.Recommendations
Update Mstoreapp Mobile App WordPress plugin to a version later than 2.08.
Update Mstoreapp Mobile Multivendor to a version later than 9.0.1.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mstoreapp Mobile App Wordpress Plugin
Mstoreapp Mobile Multivendor