CVE-2025-3438: 
WordPress vulnerability analysis and mitigation

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in versions up to and including 4.17.4. The vulnerability was discovered in May 2025 and is tracked as CVE-2025-3438. The issue affects the plugin's registration functionality and can be exploited by unauthenticated attackers (NVD).

The vulnerability stems from a lack of restriction of role when registering new users. This security flaw allows unauthenticated attackers to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin. The vulnerability can only be exploited if the WCFM Marketplace plugin is installed and activated. The issue has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (NVD).

If successfully exploited, the vulnerability allows unauthorized users to gain elevated privileges by registering as store vendors, potentially accessing vendor-specific features and functionalities that should be restricted to authorized users only (NVD).

The vulnerability was partially patched in version 4.17.3 and fully addressed in version 4.17.5. Users are advised to update to the latest version of the plugin to mitigate this security risk (NVD).