CVE-2023-2732: 
WordPress vulnerability analysis and mitigation

The MStore API plugin for WordPress contains an authentication bypass vulnerability (CVE-2023-2732) in versions up to and including 3.9.2. The vulnerability was discovered and disclosed on May 24, 2023, affecting over 5,000 WordPress sites utilizing this plugin. The MStore API plugin is a critical component of the Fluxstore mobile e-commerce system (Security Online).

The vulnerability stems from insufficient verification of user authentication during the 'add listing' REST API request through the plugin. The issue has been assigned a Critical CVSS score of 9.8, indicating its severe nature. The vulnerability allows unauthenticated attackers to bypass security measures by exploiting the insufficient verification process in the REST-API endpoints created by the plugin (NVD, FortiGuard).

Successfully exploiting this vulnerability enables unauthenticated attackers to log in as any existing user on the site, including administrators, provided they have access to the user ID. This gives attackers potential full administrative control over the affected WordPress sites (WPScan).

The vulnerability has been patched in MStore API version 3.9.3. Website administrators are strongly advised to upgrade to the latest version of the plugin immediately to protect their sites from potential attacks (FortiGuard).