CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

May 2, 2025

CVE ID : CVE-2025-3438

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the ‘wcfm_vendor’ role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-3488 – WordPress WPML Stored Cross-Site Scripting Vulnerability

Next Article CVE-2025-3858 – WordPress Formality Plugin Stored Cross-Site Scripting Vulnerability

Sunshine And March Vibes (2025 Wallpapers Edition)

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

Microsoft unveils “new generation of Windows experiences” — here’s what’s on the way to Windows 11 and Copilot+ PCs

Windows 11’s Settings app is getting an AI agent that can configure options on your PC for you

Microsoft announces new Surface Pro and Surface Laptop with smaller screens, lower starting prices, and surprising design changes

Surface Pro 12-inch vs. Surface Pro 11: Which 2-in-1 Copilot+ PC is better for you?

Solution Highlight – Oracle Fusion Global SCM and Manufacturing – Part 2

Solution Highlight – Oracle Fusion Global SCM and Manufacturing – Part 2

URI Path Components Using Laravel’s pathSegments() Method

Managing Encrypted Environment Variables In Laravel With Veil

Microsoft unveils “new generation of Windows experiences” — here’s what’s on the way to Windows 11 and Copilot+ PCs

Microsoft unveils “new generation of Windows experiences” — here’s what’s on the way to Windows 11 and Copilot+ PCs

Windows 11’s Settings app is getting an AI agent that can configure options on your PC for you

Microsoft announces new Surface Pro and Surface Laptop with smaller screens, lower starting prices, and surprising design changes

CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

Android Security Update – Critical Patch Released for Actively Exploited Vulnerability

RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248)

Microsoft Researchers Introduce Syntheseus: A Machine Learning Benchmarking Python Library for End-to-End Retrosynthetic Planning

Grootschalig misbruik van kritieke kwetsbaarheden in Craft CMS gemeld

Mako – Extremely fast, production-grade web bundler based on Rust.

Pasaffe is an easy to use password manager for GNOME

Distribution Release: Kali Linux 2025.1a

Samsung Galaxy S25 Ultra is losing this creative S Pen feature – but you likely won’t notice

CVE-2025-4003 – Apache RefindPlus null pointer dereference vulnerability

New Android Spyware Detected in Serbian Surveillance Investigation

CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

Related Posts