CVE-2024-8242 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the inspireui MStore API plugin for WordPress, which facilitates the creation of native Android and iOS apps on the cloud. The flaw exists in the update_user_profile() function, where the plugin fails to properly validate the file types being uploaded by authenticated users with subscriber-level privileges or higher. This lack of validation allows attackers to upload arbitrary files, excluding PHP files, to the server hosting the WordPress site. Although direct PHP file upload is blocked, attackers can leverage other file types that may be executed or used to facilitate remote code execution (RCE) under certain conditions, especially when combined with an unauthenticated registration endpoint that allows account creation. The vulnerability affects all versions up to 4.15.3. The CVSS 3.1 base score is 4.3, indicating a medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and impacting integrity but not confidentiality or availability. No public exploits have been reported yet, but the vulnerability could be exploited to compromise the integrity of affected sites, potentially leading to further attacks such as privilege escalation or data tampering.

Organizations using the inspireui MStore API plugin are at risk of unauthorized file uploads by authenticated users with minimal privileges, which can lead to server compromise or remote code execution if attackers successfully leverage uploaded files. This can result in defacement, data integrity loss, or pivoting to deeper network layers. The risk is heightened for sites that allow open registration, as attackers can create accounts to exploit the vulnerability. This may lead to reputational damage, data breaches, and operational disruptions. Since the plugin is used to create native mobile apps, compromised backend servers could also affect mobile app functionality or user data security. The medium CVSS score reflects moderate impact, but the real-world impact depends on the presence of additional vulnerabilities or misconfigurations that enable execution of uploaded files.

Administrators should immediately update the inspireui MStore API plugin to a patched version once available. Until then, implement strict file upload restrictions by configuring the web server or security plugins to block all file types except those explicitly required and safe (e.g., images). Disable or restrict the update_user_profile() function for non-trusted users if possible. Monitor user registrations and uploads for suspicious activity, especially from new accounts. Employ Web Application Firewalls (WAFs) with rules to detect and block arbitrary file uploads. Conduct regular security audits and scanning for unauthorized files on the server. Consider disabling open registration or adding CAPTCHA and email verification to reduce attacker account creation. Finally, review server and application logs for signs of exploitation attempts.