Platform
wordpress
Component
mstore-api
Fixed in
4.17.3
CVE-2025-3438 describes a privilege escalation vulnerability affecting the MStore API WordPress plugin. This flaw allows unauthenticated attackers to register with a Store Vendor role, potentially leading to unauthorized access and manipulation of marketplace data. The vulnerability impacts versions 0.0.0 through 4.17.4 and is resolved in version 4.17.3.
Successful exploitation of CVE-2025-3438 allows an attacker to register as a 'wcfm_vendor' within the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin. This role grants significant privileges, including the ability to list products, manage orders, and potentially access sensitive customer information. The attacker could leverage this access to manipulate pricing, create fraudulent listings, or even gain control over vendor accounts. The blast radius is limited to the scope of the WCFM Marketplace functionality within the WordPress site.
CVE-2025-3438 was publicly disclosed on 2025-05-02. The vulnerability is considered medium severity based on the CVSS score. Public proof-of-concept exploits are not currently available, but the ease of exploitation suggests a potential for active campaigns. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.49% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3438 is to immediately upgrade the MStore API plugin to version 4.17.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the WCFM Marketplace plugin to reduce the attack surface. While not a complete solution, implementing strict role-based access controls within the WCFM Marketplace can limit the potential impact of a successful exploitation. Monitor WordPress access logs for suspicious registration attempts.
Actualice el plugin MStore API a la versión 4.17.3 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la falta de restricciones de roles al registrar nuevos usuarios, previniendo que atacantes no autenticados obtengan privilegios de vendedor de tienda.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3438 is a medium severity vulnerability in the MStore API WordPress plugin allowing unauthenticated attackers to register as a vendor if the WCFM Marketplace plugin is also installed, potentially granting unauthorized access.
You are affected if you are using MStore API versions 0.0.0 through 4.17.4 and have the WCFM Marketplace plugin installed and activated on your WordPress site.
Upgrade the MStore API plugin to version 4.17.3 or later. If immediate upgrade is not possible, temporarily disable the WCFM Marketplace plugin.
While no public exploits are currently available, the ease of exploitation suggests a potential for active campaigns. Monitor your WordPress site for suspicious activity.
Refer to the MStore API plugin documentation and WordPress security announcements for the official advisory regarding CVE-2025-3438.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.