CVE-2020-36713: 
WordPress vulnerability analysis and mitigation

The MStore API plugin for WordPress (CVE-2020-36713) contains a critical authentication bypass vulnerability affecting versions up to and including 2.1.5. The vulnerability was discovered by Jerome Bruandet and publicly disclosed on March 11, 2020. This security flaw impacts the WordPress plugin that enables the creation of native Android and iOS applications (NVD NIST, WPScan).

The vulnerability stems from unrestricted access to the 'register' and 'updateuserprofile' routes in the plugin. The issue is classified as CWE-306 (Missing Authentication for Critical Function) and received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level (NVD NIST, Acunetix).

The vulnerability allows unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account, potentially leading to complete site compromise (NVD NIST).

The vulnerability has been fixed in version 2.1.6 of the MStore API plugin. Users are strongly advised to update to this version or later to protect their WordPress installations (Acunetix).