The MStore API plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) in the update_user_profile() function within controllers/flutter-user.php. This function reads raw JSON input from php://input, decodes it, authenticates the user via cookie validation, and then iterates over the user-supplied meta_data array without any allowlist, blocklist, or validation of meta keys. Consequently, authenticated users with Subscriber-level privileges or above can update arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (which can be used for privilege escalation) and plugin-specific authorization flags. The vulnerability does not permit direct modification of wp_capabilities due to its serialized array format requirement but does allow modification of other critical meta keys. The issue affects all versions up to and including 4.18.3. No patch or official remediation has been published yet.

An authenticated attacker with Subscriber-level access or higher can modify arbitrary user meta fields on their own account, including sensitive fields that can lead to privilege escalation (e.g., wp_user_level) and manipulation of plugin-specific authorization flags. This could allow an attacker to gain administrator-level privileges or alter billing/profile information with unsanitized input, potentially enabling stored cross-site scripting (XSS) in administrative contexts. The vulnerability does not impact confidentiality or availability directly but poses an integrity risk through unauthorized modification of user metadata.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions carefully and monitor for suspicious activity related to user meta modifications. Avoid granting Subscriber-level or higher access to untrusted users. Consider implementing custom validation or sanitization for user meta updates if possible.