CVE-2026-3568: CWE-639 Authorization Bypass Through User-Controlled Key in inspireui MStore API – Create Native Android & iOS Apps On The Cloud
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
AI Analysis
Technical Summary
CVE-2026-3568 is an authorization bypass vulnerability (CWE-639) in the MStore API WordPress plugin's update_user_profile() function. The function reads raw JSON input from php://input, decodes it, authenticates the user via cookie validation, and then updates user meta fields directly from the user-supplied 'meta_data' array without any validation or restrictions. This allows authenticated users with Subscriber-level privileges or higher to modify arbitrary meta keys on their own accounts, including sensitive fields like wp_user_level and plugin-specific authorization flags. The vulnerability does not allow direct exploitation of wp_capabilities due to serialization requirements but does permit privilege escalation via wp_user_level and potential stored XSS through unsanitized profile fields. The vulnerability affects all versions up to and including 4.18.3. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An authenticated attacker with Subscriber-level access or higher can modify arbitrary user meta fields on their own account, including sensitive authorization and profile fields. This can lead to privilege escalation to administrator-level roles via manipulation of wp_user_level, unauthorized activation or deactivation of plugin-specific features, and potential stored cross-site scripting (XSS) in administrative contexts. The vulnerability does not impact confidentiality or availability directly but poses a risk to integrity and authorization controls within the affected WordPress environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious changes to user meta fields. Avoid granting Subscriber-level or higher access to untrusted users. Consider implementing custom validation or sanitization of user meta updates if feasible. Follow updates from the vendor for an official patch or temporary workaround.
CVE-2026-3568: CWE-639 Authorization Bypass Through User-Controlled Key in inspireui MStore API – Create Native Android & iOS Apps On The Cloud
Description
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3568 is an authorization bypass vulnerability (CWE-639) in the MStore API WordPress plugin's update_user_profile() function. The function reads raw JSON input from php://input, decodes it, authenticates the user via cookie validation, and then updates user meta fields directly from the user-supplied 'meta_data' array without any validation or restrictions. This allows authenticated users with Subscriber-level privileges or higher to modify arbitrary meta keys on their own accounts, including sensitive fields like wp_user_level and plugin-specific authorization flags. The vulnerability does not allow direct exploitation of wp_capabilities due to serialization requirements but does permit privilege escalation via wp_user_level and potential stored XSS through unsanitized profile fields. The vulnerability affects all versions up to and including 4.18.3. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An authenticated attacker with Subscriber-level access or higher can modify arbitrary user meta fields on their own account, including sensitive authorization and profile fields. This can lead to privilege escalation to administrator-level roles via manipulation of wp_user_level, unauthorized activation or deactivation of plugin-specific features, and potential stored cross-site scripting (XSS) in administrative contexts. The vulnerability does not impact confidentiality or availability directly but poses a risk to integrity and authorization controls within the affected WordPress environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious changes to user meta fields. Avoid granting Subscriber-level or higher access to untrusted users. Consider implementing custom validation or sanitization of user meta updates if feasible. Follow updates from the vendor for an official patch or temporary workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-04T20:45:42.536Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d71b0f1cc7ad14da048cc6
Added to database: 4/9/2026, 3:20:47 AM
Last enriched: 4/9/2026, 3:36:36 AM
Last updated: 4/10/2026, 7:51:53 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.