{"api_version":"1","generated_at":"2026-04-23T15:10:18+00:00","cve":"CVE-2023-3277","urls":{"html":"https://cve.report/CVE-2023-3277","api":"https://cve.report/api/cve/CVE-2023-3277.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-3277","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-3277"},"summary":{"title":"MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation","description":"The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-11-03 12:15:08","updated_at":"2026-04-08 17:16:59"},"problem_types":["CWE-288","NVD-CWE-Other","CWE-288 CWE-288 Authentication Bypass Using an Alternate Path or Channel"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821","name":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail=","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-3277","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3277","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"inspireui","product":"MStore API – Create Native Android & iOS Apps On The Cloud","version":"affected 4.10.7 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2023-06-19T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Truoc Phan","lang":"en"},{"source":"CNA","value":"An Đặng","lang":"en"}],"nvd_cpes":[{"cve_year":"2023","cve_id":"3277","vulnerable":"1","versionEndIncluding":"4.10.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"inspireui","cpe5":"mstore_api","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-3277","qid":"731040","title":"WordPress Plugin Mstore-api Unauthenticated Privilege Escalation Vulnerability"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-02T06:48:08.451Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2023-3277","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-02-05T18:39:55.827729Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-02-05T18:51:59.822Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"MStore API – Create Native Android & iOS Apps On The Cloud","vendor":"inspireui","versions":[{"lessThanOrEqual":"4.10.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Truoc Phan"},{"lang":"en","type":"finder","value":"An Đặng"}],"descriptions":[{"lang":"en","value":"The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address."}],"metrics":[{"cvssV3_1":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288 Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:39:44.129Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2023-06-19T00:00:00.000Z","value":"Disclosed"}],"title":"MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2023-3277","datePublished":"2023-11-03T11:29:49.440Z","dateReserved":"2023-06-15T13:27:17.682Z","dateUpdated":"2026-04-08T16:39:44.129Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-11-03 12:15:08","lastModifiedDate":"2026-04-08 17:16:59","problem_types":["CWE-288","NVD-CWE-Other","CWE-288 CWE-288 Authentication Bypass Using an Alternate Path or Channel"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"4.10.7","matchCriteriaId":"D572F64E-4E47-492F-86CF-D41F26BE0FEE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2023","CveId":"3277","Ordinal":"1","Title":"MStore API <= 4.10.7 - Unauthorized Account Access and Privilege","CVE":"CVE-2023-3277","Year":"2023"},"notes":[{"CveYear":"2023","CveId":"3277","Ordinal":"1","NoteData":"The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.","Type":"Description","Title":"MStore API <= 4.10.7 - Unauthorized Account Access and Privilege"}]}}}