CVE-2025-4683: 
WordPress vulnerability analysis and mitigation

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress contains a vulnerability (CVE-2025-4683) discovered and disclosed on May 26, 2025. This vulnerability affects all versions up to and including 4.17.5 and is related to unauthorized modification of data due to a missing capability check in the create_blog function. The vulnerability allows authenticated attackers with Subscriber-level access or higher to create new posts (NVD CVE).

The vulnerability stems from a missing capability check in the create_blog function within the plugin's blog-helper.php file. The CVSS v3.1 score is 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD CVE).

When exploited, this vulnerability allows authenticated users with Subscriber-level privileges or higher to create new posts on the WordPress site, bypassing intended authorization restrictions. This could lead to unauthorized content creation and potential content manipulation on affected websites (NVD CVE).

Site administrators should update the MStore API plugin to a version newer than 4.17.5 once available. Until then, it is recommended to review and potentially restrict Subscriber-level access on affected websites, or consider temporarily deactivating the plugin if the functionality is not critical (NVD CVE).