CVE-2020-36713
🔴 Łataj teraz
Obejście uwierzytelnienia w wtyczce MStore API dla WordPressa umożliwia tworzenie kont administratora.
CVSS
9.8
EPSS
0.9%
Exploit
poc
Vendor
inspireui
Opis źródłowy (NVD)
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.
auth-bypass exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.9% |
| Opublikowano (NVD) | 2023-06-07 02:15:11 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 18:17:09 UTC |
Referencje
- https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/ (security@wordfence.com) [Exploit]
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/ (security@wordfence.com) [Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve (security@wordfence.com) [Third Party Advisory]