CVE-2025-3438 Overview
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress contains a limited privilege escalation vulnerability in all versions up to and including 4.17.4. The vulnerability stems from a lack of role restriction during user registration, allowing unauthenticated attackers to register with elevated privileges. Specifically, attackers can register with the wcfm_vendor role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin.
Critical Impact
Unauthenticated attackers can gain Store Vendor privileges on WooCommerce marketplaces, potentially compromising multi-vendor e-commerce operations and gaining unauthorized access to vendor-level functionality.
Affected Products
- InspireUI MStore API plugin for WordPress (all versions up to and including 4.17.4)
- WordPress sites with WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin installed and activated
- WooCommerce-based multi-vendor marketplace installations using the MStore API plugin
Discovery Timeline
- 2025-05-02 - CVE-2025-3438 published to NVD
- 2025-05-06 - Last updated in NVD database
Technical Details for CVE-2025-3438
Vulnerability Analysis
This privilege escalation vulnerability exists in the user registration functionality of the MStore API plugin, specifically within the flutter-user.php controller. The vulnerability allows unauthenticated attackers to bypass role restrictions during the registration process. When the WCFM Marketplace plugin is installed and activated alongside MStore API, attackers can exploit this flaw to register accounts with the wcfm_vendor role instead of the default subscriber role.
The Store Vendor role grants significant privileges within a WooCommerce multi-vendor marketplace, including the ability to manage products, view orders, access vendor dashboards, and potentially interact with customer data. This represents a significant security boundary violation as it allows anonymous users to gain trusted vendor-level access.
The vulnerability was partially addressed in version 4.17.3, but a complete fix was not implemented until subsequent patches were released.
Root Cause
The root cause of this vulnerability is improper access control (CWE-269: Improper Privilege Management) in the user registration endpoint. The MStore API plugin fails to properly validate and restrict the role parameter during user registration requests. The plugin accepts user-supplied role values without verifying that the requested role is appropriate for an unauthenticated registration, allowing attackers to specify privileged roles such as wcfm_vendor.
The vulnerable code can be found in the flutter-user.php controller, specifically around lines 392-413 where user registration is processed without adequate role validation.
Attack Vector
The attack is executed remotely over the network without requiring authentication. An attacker can craft a malicious registration request to the MStore API endpoint, specifying the wcfm_vendor role in the registration parameters. The attack requires no user interaction and can be automated.
The attack prerequisites include:
- Target WordPress site must have MStore API plugin installed (versions up to 4.17.4)
- WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin must be installed and activated
- The registration endpoint must be accessible over the network
Upon successful exploitation, the attacker obtains a valid user account with Store Vendor privileges, enabling them to perform actions typically reserved for legitimate vendors in the marketplace ecosystem.
Detection Methods for CVE-2025-3438
Indicators of Compromise
- Unusual spike in new user registrations with the wcfm_vendor role
- User accounts created with vendor privileges that were not approved through normal vendor application workflows
- Multiple vendor account creations from the same IP address or geographic location
- Vendor accounts with suspicious usernames, email domains, or incomplete profile information
Detection Strategies
- Monitor WordPress user registration logs for accounts created with the wcfm_vendor role without corresponding vendor application approvals
- Implement rate limiting and anomaly detection on the MStore API registration endpoints
- Review the wp_users and wp_usermeta tables for recently created accounts with vendor capabilities
- Configure web application firewall rules to flag registration requests attempting to specify privileged roles
Monitoring Recommendations
- Enable comprehensive logging for all MStore API endpoints, particularly user registration functions
- Set up alerts for any new vendor account creation to ensure manual verification
- Monitor for unauthorized access to vendor dashboard pages by newly created accounts
- Review server access logs for suspicious POST requests to /wp-json/api/flutter_user/ endpoints
How to Mitigate CVE-2025-3438
Immediate Actions Required
- Update the MStore API plugin to a version newer than 4.17.4 that includes the complete fix
- Audit all existing user accounts with the wcfm_vendor role to identify potentially malicious accounts
- Temporarily disable user registration if the plugin cannot be immediately updated
- Review and revoke access for any suspicious vendor accounts created without proper authorization
Patch Information
InspireUI has released patches to address this vulnerability. The fix was partially implemented in version 4.17.3 and further strengthened in subsequent releases. The patches add proper role validation during user registration to ensure only permitted roles can be assigned.
Patch details can be reviewed in the following changesets:
For additional vulnerability details, refer to the Wordfence Vulnerability Report.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the MStore API plugin until an update can be applied
- Implement additional server-side validation to reject registration requests containing privileged role parameters
- Use a web application firewall to block requests attempting to register with the wcfm_vendor role
- Require manual approval for all new vendor accounts through the WCFM Marketplace admin interface
# WordPress CLI command to list all users with wcfm_vendor role for audit
wp user list --role=wcfm_vendor --fields=ID,user_login,user_email,user_registered
# Temporarily disable user registration via wp-config.php
# Add this line to prevent new registrations until patched
# define('WP_ALLOW_MULTISITE', false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
