CVE-2026-3568

Name of the Vulnerable Software and Affected Versions MStore API plugin for WordPress versions up to and including 4.18.3

Description The MStore API plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This stems from the update user profile() function within controllers/flutter-user.php, which processes the meta data JSON parameter without proper validation. The function retrieves JSON data from php://input (line 1012), decodes it (line 1013), and authenticates the user via cookie validation (line 1015). It then iterates through the user-supplied meta data array, passing arbitrary keys and values to update user meta() (line 1080) without sanitization. This allows authenticated attackers with Subscriber-level access or higher to modify arbitrary user meta fields on their accounts, including sensitive fields like wp user level, plugin-specific authorization flags (e.g., wpuf user active, aiowps account status), and billing/profile fields. Exploitation of wp user level can lead to administrator-level legacy checks, while unsanitized values in billing/profile fields may enable Stored XSS in admin contexts.

Recommendations For versions up to and including 4.18.3, update to a newer version.