CVE-2025-3438: CWE-269 Improper Privilege Management in inspireui MStore API – Create Native Android & iOS Apps On The Cloud
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
AI Analysis
Technical Summary
The MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin suffers from improper privilege management (CWE-269), allowing unauthenticated users to register with the 'wcfm_vendor' role, which is a vendor role in the WCFM Marketplace plugin. This occurs because the plugin does not properly restrict role assignment during registration. The vulnerability affects all versions up to 4.17.4 and requires the WCFM Marketplace plugin to be installed and activated. A partial fix was introduced in version 4.17.3. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
An unauthenticated attacker can register as a store vendor in the WCFM Marketplace plugin, potentially gaining elevated privileges within the WordPress site related to vendor capabilities. This could lead to unauthorized actions permitted to vendor roles, impacting confidentiality and integrity of the affected system. Availability is not impacted. Exploitation depends on the presence and activation of the WCFM Marketplace plugin.
Mitigation Recommendations
A partial patch was introduced in version 4.17.3 of the MStore API plugin. Users should upgrade to the latest version beyond 4.17.4 if available to ensure full remediation. Since no official patch link is provided and the vulnerability is only partially fixed in 4.17.3, users must consult the vendor's advisory or update channels for the latest fixes. If upgrading is not immediately possible, consider disabling the MStore API plugin or the WCFM Marketplace plugin to prevent exploitation. Monitor vendor communications for official fixes.
CVE-2025-3438: CWE-269 Improper Privilege Management in inspireui MStore API – Create Native Android & iOS Apps On The Cloud
Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin suffers from improper privilege management (CWE-269), allowing unauthenticated users to register with the 'wcfm_vendor' role, which is a vendor role in the WCFM Marketplace plugin. This occurs because the plugin does not properly restrict role assignment during registration. The vulnerability affects all versions up to 4.17.4 and requires the WCFM Marketplace plugin to be installed and activated. A partial fix was introduced in version 4.17.3. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
An unauthenticated attacker can register as a store vendor in the WCFM Marketplace plugin, potentially gaining elevated privileges within the WordPress site related to vendor capabilities. This could lead to unauthorized actions permitted to vendor roles, impacting confidentiality and integrity of the affected system. Availability is not impacted. Exploitation depends on the presence and activation of the WCFM Marketplace plugin.
Mitigation Recommendations
A partial patch was introduced in version 4.17.3 of the MStore API plugin. Users should upgrade to the latest version beyond 4.17.4 if available to ensure full remediation. Since no official patch link is provided and the vulnerability is only partially fixed in 4.17.3, users must consult the vendor's advisory or update channels for the latest fixes. If upgrading is not immediately possible, consider disabling the MStore API plugin or the WCFM Marketplace plugin to prevent exploitation. Monitor vendor communications for official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-07T21:38:46.671Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbebf4d
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 4/9/2026, 10:13:47 AM
Last updated: 5/8/2026, 6:00:01 PM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.