CVE-2023-2733: 
WordPress vulnerability analysis and mitigation

The MStore API plugin for WordPress (versions up to 3.9.0) was identified with a critical authentication bypass vulnerability (CVE-2023-2733). The vulnerability was discovered on May 17, 2023, and stems from insufficient verification of user credentials during coupon redemption REST API requests. This security flaw affects the plugin's authentication mechanism, potentially compromising WordPress installations using the affected versions (NVD, WPScan).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical issue lies in the plugin's REST API implementation, specifically in the coupon redemption functionality, where user verification is inadequately implemented. The vulnerability is categorized under CWE-287 (Improper Authentication) and allows for authentication bypass attacks (NVD, WPScan).

The vulnerability enables unauthenticated attackers to bypass authentication controls and log in as any existing user on the site, including administrators, provided they have access to the user ID. This presents a critical security risk as it could lead to complete site compromise through unauthorized administrative access (NVD).

The vulnerability has been patched in version 3.9.1 of the MStore API plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation. The fix addresses the authentication verification issues in the coupon redemption API endpoint (WPScan).