The MStore API plugin for WordPress is vulnerable to...
Moderate severity
Unreviewed
Published
Jun 14, 2023
to the GitHub Advisory Database
•
Updated Apr 4, 2024
Description
Published by the National Vulnerability Database
Jun 14, 2023
Published to the GitHub Advisory Database
Jun 14, 2023
Last updated
Apr 4, 2024
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References