CVE-2024-8242: 
WordPress vulnerability analysis and mitigation

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress (versions up to and including 4.15.3) contains a vulnerability identified as CVE-2024-8242. The vulnerability was discovered and reported by Wordfence, with the disclosure date being September 13, 2024. This security issue affects the updateuserprofile() function in the plugin, which lacks proper file type validation (NVD CVE).

The vulnerability is classified as an arbitrary file upload vulnerability due to insufficient file type validation in the updateuserprofile() function. The issue has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with subscriber-level access or higher to upload arbitrary files (excluding PHP files) to the affected site's server. This capability could potentially lead to remote code execution. The impact is heightened by the fact that the vulnerability can be combined with a registration endpoint for unauthenticated users to exploit the issue (NVD CVE).

Website administrators running the affected versions of the MStore API plugin should update to version 4.15.4 or later, which contains the fix for this vulnerability (NVD CVE).