Hackers are exploiting CVE-2023-2732 vulnerability in WordPress MStore API plugin

An authentication bypass vulnerability has been found in the MStore API WordPress plugin. Identified as CVE-2023-2732 and assigned a troubling Common Vulnerability Scoring System (CVSS) score of 9.8, this security loophole is a potent threat to over 5,000 WordPress sites utilizing this plugin.

The MStore API plugin, a vital cog in the Fluxstore mobile e-commerce system, has gained substantial popularity for its high productivity and cost efficiency. Fluxstore, birthed from the innovative cradle of Google’s Flutter framework, is on a mission to streamline the journey of mobile apps from the development stage to the market. However, a vulnerability in this widely-used tool, specifically in versions up to and including 3.9.2, threatens to cast a dark shadow on its stellar reputation.

The root of the CVE-2023-2732 flaw lies in the insufficient verification process of the user being supplied during the ‘add listing’ REST API request via the plugin. In simpler terms, the plugin fails to adequately authenticate the identities of its users, thereby opening a gateway for nefarious entities to exploit. Armed with a user id, unauthenticated attackers can bypass security measures and impersonate any existing user on the site, even an administrator, thereby seizing control of the website.

What adds a layer of urgency to this predicament is that the cyber-underworld is not only aware of this vulnerability but is actively scanning the vast expanses of the Internet to pinpoint and exploit vulnerable plugin versions on WordPress websites. In a testament to the escalating threat, Wordfence, a leading security solution for WordPress, blocked a staggering 794 attacks targeting this vulnerability within the span of a single day.

The fix was released with MStore API version 3.9.3. All plugin users are recommended to upgrade to the latest version as soon as possible.