Plattform
wordpress
Komponente
mstore-api
Behoben in
4.17.3
CVE-2025-3438 describes a privilege escalation vulnerability affecting the MStore API WordPress plugin. This flaw allows unauthenticated attackers to register with a Store Vendor role, potentially leading to unauthorized access and manipulation of marketplace data. The vulnerability impacts versions 0.0.0 through 4.17.4 and is resolved in version 4.17.3.
Successful exploitation of CVE-2025-3438 allows an attacker to bypass authentication and register as a vendor within the WCFM Marketplace. This grants them unauthorized access to vendor-specific functionalities, potentially including listing products, managing orders, and accessing sensitive customer data. The scope of impact is limited to environments where both the MStore API and WCFM Marketplace plugins are active. While the vulnerability doesn't grant full administrative control, it represents a significant security risk as it enables unauthorized actions within the marketplace ecosystem. This could lead to fraudulent listings, data manipulation, and reputational damage for the website owner.
CVE-2025-3438 was publicly disclosed on May 2, 2025. Currently, there are no known public proof-of-concept exploits available. The vulnerability's impact is contingent on the presence of both the MStore API and WCFM Marketplace plugins, limiting its potential attack surface. Its inclusion in the KEV catalog is pending. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress sites utilizing the MStore API plugin in conjunction with the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin are at risk. Specifically, sites with permissive role assignment configurations or those running older, unpatched versions of the MStore API plugin are particularly vulnerable.
• wordpress / composer / npm:
grep -r 'wcfm_vendor' /var/www/html/wp-content/plugins/
wp-cli plugin list | grep mstore-api• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/mstore-api/ | grep 'X-Powered-By'• wordpress / composer / npm:
wp plugin status mstore-apidisclosure
Exploit-Status
EPSS
0.49% (65% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3438 is to immediately upgrade the MStore API plugin to version 4.17.3 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the MStore API plugin until a compatible upgrade can be performed. As a temporary workaround, restrict the 'wcfmvendor' role to only trusted users. Monitor WordPress access logs for suspicious registration attempts. Implement a Web Application Firewall (WAF) rule to block requests attempting to register with the 'wcfmvendor' role from unauthorized sources. After upgrading, verify the fix by attempting to register a new user without authentication and confirming that the registration fails.
Actualice el plugin MStore API a la versión 4.17.3 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la falta de restricciones de roles al registrar nuevos usuarios, previniendo que atacantes no autenticados obtengan privilegios de vendedor de tienda.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3438 is a medium severity vulnerability in the MStore API WordPress plugin allowing unauthenticated attackers to register as a vendor if the WCFM Marketplace plugin is also installed, potentially granting unauthorized access.
You are affected if you are using MStore API versions 0.0.0 through 4.17.4 and have the WCFM Marketplace plugin installed and activated on your WordPress site.
Upgrade the MStore API plugin to version 4.17.3 or later. If immediate upgrade is not possible, temporarily disable the WCFM Marketplace plugin.
While no public exploits are currently available, the ease of exploitation suggests a potential for active campaigns. Monitor your WordPress site for suspicious activity.
Refer to the MStore API plugin documentation and WordPress security announcements for the official advisory regarding CVE-2025-3438.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.