CVE-2026-3568

MEDIUM EPSS 13.3%
Published Apr 9, 20262mo ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Apr 9, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
13.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-639

References 8

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1012
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1078
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.18.3/controllers/flutter-user.php#L1080
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1012
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1078
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1080
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494266%40mstore-api&new=3494266%40mstore-api&sfp_email=&sfph_mail=
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/a77bc126-4dbd-4a26-b98c-946341d4282f?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.