Critical severity9.8NVD Advisory· Published Jul 12, 2024· Updated Apr 8, 2026

CVE-2024-6328

Description

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.

Affected products

Inspireui/Mstore Api
cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
Range: <4.15.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3115231/nvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547nvdThird Party Advisory
plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.phpnvdProduct
plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.phpnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000