CVE-2026-3568
Received Received - Intake
Insecure Direct Object Reference in MStore API Plugin Allows Privilege Escalation

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: Wordfence

Description
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3568
EUVD
EUVD-2026-20840
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mstore api_plugin to 4.18.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access to modify arbitrary user meta fields on their own accounts, including sensitive fields and billing/profile information with unsanitized values. This could potentially lead to unauthorized data modification and stored cross-site scripting (XSS) in admin contexts.

Such unauthorized modification of user data and potential injection of malicious content may impact compliance with data protection regulations like GDPR and HIPAA, which require maintaining data integrity, confidentiality, and protection against unauthorized access or alteration.

However, the provided context does not explicitly discuss compliance implications or specific effects on standards such as GDPR or HIPAA.

Executive Summary

The MStore API plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to 4.18.3. This happens because the update_user_profile() function processes a 'meta_data' JSON parameter without any filtering or validation of the keys. The function reads raw JSON input, authenticates the user via cookie, and then updates user meta fields directly with the supplied keys and values without sanitization.

As a result, authenticated users with Subscriber-level access or higher can modify arbitrary meta fields on their own accounts, including sensitive fields like wp_user_level (which can be used to escalate privileges to administrator level), plugin-specific authorization flags, and billing/profile fields. Some fields like wp_capabilities are not exploitable due to their format, but many others are.

Impact Analysis

This vulnerability allows authenticated users with low-level access to escalate their privileges by modifying sensitive user meta fields. For example, they can change their wp_user_level to gain administrator-level access. They can also alter plugin-specific authorization flags and billing or profile information with unsanitized values, which could lead to stored cross-site scripting (XSS) attacks in admin contexts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart