CVE-2023-3277
Summary
The MStore API plugin for WordPress versions up to 4.10.7 contains a vulnerability that allows unauthenticated attackers to access any user account by knowing their email address. This is due to an improper implementation of the Apple login feature. The vulnerability is being disclosed because the developer has not yet released a patch.
IFF Assessment
This vulnerability allows unauthenticated attackers to gain unauthorized access to user accounts, which is detrimental to defenders.
Severity
Defender Context
This vulnerability allows for account takeover without prior authentication, posing a significant risk to WordPress sites using the MStore API plugin. Defenders should monitor for any signs of unauthorized access to user accounts and promptly update the plugin once a patch is available. This highlights the importance of securing third-party integrations, especially those handling user authentication.