Critical severity9.8NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026

CVE-2020-36713

Description

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.

Affected products

Inspireui/Mstore Api
cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
Range: <=2.1.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/nvdExploit
www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/nvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1dnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000