CVE-2023-3131: 
WordPress vulnerability analysis and mitigation

The MStore API WordPress plugin before version 3.9.7 contains a security vulnerability identified as CVE-2023-3131. The vulnerability was discovered by Truoc Phan and publicly disclosed on June 19, 2023. The issue affects the plugin's AJAX actions implementation, which lacks proper security controls for most of its functions (WPScan Advisory).

The vulnerability stems from the absence of proper security implementations in the plugin's AJAX actions, specifically missing privilege checks and nonce checks. The CVSS score for this vulnerability is 4.3 (Medium), indicating a moderate severity level. The vulnerability is classified under CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (WPScan Advisory).

When exploited, this vulnerability allows users with subscriber-level access to modify various plugin settings without proper authorization. Attackers can manipulate multiple plugin configurations including product limits, Firebase server keys, order titles, and messages. These changes can be made through unauthorized access to the plugin's administrative settings (WPScan Advisory).

The vulnerability has been patched in MStore API version 3.9.7. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan Advisory).