Skip to main content

CVE-2025-4683: CWE-862 Missing Authorization in inspireui MStore API – Create Native Android & iOS Apps On The Cloud

Medium
VulnerabilityCVE-2025-4683cvecve-2025-4683cwe-862
Published: Tue May 27 2025 (05/27/2025, 01:48:48 UTC)
Source: CVE Database V5
Vendor/Project: inspireui
Product: MStore API – Create Native Android & iOS Apps On The Cloud

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.

AI-Powered Analysis

AILast updated: 07/11/2025, 10:47:55 UTC

Technical Analysis

CVE-2025-4683 is a medium-severity vulnerability affecting the MStore API plugin for WordPress, developed by inspireui, which facilitates the creation of native Android and iOS apps on the cloud. The vulnerability arises from a missing authorization check (CWE-862) in the create_blog function across all versions up to and including 4.17.5. Specifically, the plugin fails to properly verify whether an authenticated user has the necessary capabilities to create new posts. This flaw allows any authenticated user with at least Subscriber-level privileges to create new posts without further authorization. The vulnerability does not impact confidentiality or availability but compromises data integrity by enabling unauthorized content creation. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, and requiring low privileges but no user interaction. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because WordPress sites using this plugin could be manipulated by low-privilege users to inject unauthorized content, potentially leading to defacement, misinformation, or other malicious content injection scenarios. Since the vulnerability is in a plugin used to build mobile apps, the impact could extend beyond the website to the mobile applications relying on this backend, potentially undermining trust and user experience.

Potential Impact

For European organizations, the impact primarily concerns the integrity of web content and associated mobile applications built using the MStore API plugin. Unauthorized post creation can lead to misinformation, reputational damage, and potential regulatory scrutiny under GDPR if the unauthorized content involves personal data or violates content policies. Organizations relying on this plugin for customer-facing apps or internal communication risk content pollution and loss of user trust. While the vulnerability does not directly affect confidentiality or availability, the integrity compromise can be exploited for social engineering or phishing campaigns, indirectly increasing risk. Additionally, organizations in regulated sectors such as finance, healthcare, or government may face compliance challenges if unauthorized content affects data governance or user communications. The lack of known exploits suggests limited immediate risk, but the ease of exploitation and low privilege requirement mean that threat actors could weaponize this vulnerability quickly once discovered.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations to identify the presence of the MStore API plugin and verify the version in use. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict Subscriber-level user registrations or disable new user registrations if not needed, minimizing the pool of potential attackers. 2) Implement strict role and capability management to ensure users have only necessary permissions. 3) Use Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized API calls to the create_blog function. 4) Monitor logs for unusual post creation activity, especially from low-privilege accounts. 5) Consider temporarily disabling the plugin or restricting its API endpoints via server-level access controls if feasible. 6) Stay updated with vendor advisories for patches and apply them promptly once available. 7) Conduct internal awareness training for administrators to recognize signs of exploitation and respond accordingly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-14T11:50:47.393Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6835ae14182aa0cae20f9f58

Added to database: 5/27/2025, 12:20:36 PM

Last enriched: 7/11/2025, 10:47:55 AM

Last updated: 8/2/2025, 12:38:02 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats