CVE-2026-3568
Insecure Direct Object Reference in MStore API Plugin Allows Privilege Escalation
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mstore | api_plugin | to 4.18.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MStore API plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to 4.18.3. This happens because the update_user_profile() function processes a 'meta_data' JSON parameter without any filtering or validation of the keys. The function reads raw JSON input, authenticates the user via cookie, and then updates user meta fields directly with the supplied keys and values without sanitization.
As a result, authenticated users with Subscriber-level access or higher can modify arbitrary meta fields on their own accounts, including sensitive fields like wp_user_level (which can be used to escalate privileges to administrator level), plugin-specific authorization flags, and billing/profile fields. Some fields like wp_capabilities are not exploitable due to their format, but many others are.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access to escalate their privileges by modifying sensitive user meta fields. For example, they can change their wp_user_level to gain administrator-level access. They can also alter plugin-specific authorization flags and billing or profile information with unsanitized values, which could lead to stored cross-site scripting (XSS) attacks in admin contexts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access to modify arbitrary user meta fields on their own accounts, including sensitive fields and billing/profile information with unsanitized values. This could potentially lead to unauthorized data modification and stored cross-site scripting (XSS) in admin contexts.
Such unauthorized modification of user data and potential injection of malicious content may impact compliance with data protection regulations like GDPR and HIPAA, which require maintaining data integrity, confidentiality, and protection against unauthorized access or alteration.
However, the provided context does not explicitly discuss compliance implications or specific effects on standards such as GDPR or HIPAA.