Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Mstoreapp Mobile App by Unknown
CVE-2025-11127 (GCVE-0-2025-11127)
Vulnerability from nvd – Published: 2025-11-21 13:41 – Updated: 2025-11-21 14:23
VLAI
Title
Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) - Unauthenticated Privilege Escalation
Summary
The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/6432bd1a-6e44-4a… | exploitvdb-entrytechnical-description |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Mstoreapp Mobile App |
Affected:
0 , ≤ 2.0.8
(semver)
|
|
| Unknown | Mstoreapp Mobile Multivendor |
Affected:
0 , ≤ 9.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T14:23:24.416782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T14:23:36.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "Mstoreapp Mobile App",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Mstoreapp Mobile Multivendor",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Alenazi (Nxploited)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T13:41:07.728Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Mstoreapp Mobile (App \u003c= 2.08, Multivendor \u003c= 9.0.1) - Unauthenticated Privilege Escalation",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2025-11127",
"datePublished": "2025-11-21T13:41:07.728Z",
"dateReserved": "2025-09-27T19:41:26.193Z",
"dateUpdated": "2025-11-21T14:23:36.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11127 (GCVE-0-2025-11127)
Vulnerability from cvelistv5 – Published: 2025-11-21 13:41 – Updated: 2025-11-21 14:23
VLAI
Title
Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) - Unauthenticated Privilege Escalation
Summary
The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/6432bd1a-6e44-4a… | exploitvdb-entrytechnical-description |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Mstoreapp Mobile App |
Affected:
0 , ≤ 2.0.8
(semver)
|
|
| Unknown | Mstoreapp Mobile Multivendor |
Affected:
0 , ≤ 9.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T14:23:24.416782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T14:23:36.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "Mstoreapp Mobile App",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Mstoreapp Mobile Multivendor",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Alenazi (Nxploited)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T13:41:07.728Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Mstoreapp Mobile (App \u003c= 2.08, Multivendor \u003c= 9.0.1) - Unauthenticated Privilege Escalation",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2025-11127",
"datePublished": "2025-11-21T13:41:07.728Z",
"dateReserved": "2025-09-27T19:41:26.193Z",
"dateUpdated": "2025-11-21T14:23:36.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}