{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T10:27:40.782","vulnerabilities":[{"cve":{"id":"CVE-2025-3438","sourceIdentifier":"security@wordfence.com","published":"2025-05-02T06:15:48.020","lastModified":"2025-05-06T15:35:14.563","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3."},{"lang":"es","value":"El complemento MStore API – Create Native Android & iOS Apps On The Cloud para WordPress es vulnerable a una escalada de privilegios limitada en todas las versiones hasta la 4.17.4 incluida. Esto se debe a la falta de restricción de roles al registrarse. Esto permite que atacantes no autenticados se registren con el rol 'wcfm_vendor', que es un rol de vendedor de tienda en el complemento WCFM Marketplace – Multivendor Marketplace para WooCommerce para WordPress. Esta vulnerabilidad solo se puede explotar si el plugin WCFM Marketplace – Multivendor Marketplace para WooCommerce está instalado y activado. La vulnerabilidad se corrigió parcialmente en la versión 4.17.3."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"4.17.5","matchCriteriaId":"4F32FF32-13F7-4BBD-B1ED-77338D03B697"}]}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L392","source":"security@wordfence.com","tags":["Product"]},{"url":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L413","source":"security@wordfence.com","tags":["Product"]},{"url":"https://plugins.trac.wordpress.org/changeset/3277790","source":"security@wordfence.com","tags":["Patch"]},{"url":"https://plugins.trac.wordpress.org/changeset/3279132/","source":"security@wordfence.com","tags":["Patch"]},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/be5d86ad-f94b-4fcb-9b74-ecddde2bf29d?source=cve","source":"security@wordfence.com","tags":["Third Party Advisory"]}]}}]}