MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload

Vulnerability

The MStore API plugin for WordPress, versions up to and including 4.15.3, contains a missing file type validation vulnerability in the update_user_profile() function. This allows authenticated users with subscriber-level access or higher to upload arbitrary files (excluding PHP files) to the server. The plugin is used to bridge WordPress stores with mobile apps built using FluxBuilder [1].

Exploitation

An attacker must have at least subscriber-level authentication on the WordPress site. If the plugin's registration endpoint is enabled, unauthenticated users can also exploit the issue by first registering an account. The attacker then sends a crafted request to the update_user_profile() function with a file payload that bypasses file type checks, uploading arbitrary non-PHP files to the server [1].

Impact

Successful exploitation allows the attacker to upload arbitrary files (excluding PHP) to the server's filesystem. While direct PHP execution is prevented, the uploaded files can be used in combination with other techniques (e.g., .htaccess overrides, symlink attacks) to achieve remote code execution, potentially leading to full site compromise [1].

Mitigation

The vulnerability is fixed in plugin version 4.19.0 as indicated by the plugin's changelog, which includes security fixes for broken access control. Users are strongly advised to update to the latest version immediately. No official workaround is available for older versions [1].