CVE-2023-2732

CRITICAL EXPLOITED NUCLEI

MStore API < 3.9.2 - Unauthenticated Authentication Bypass via Listing REST API

Title source: llm

Exploitation Summary

CVE-2023-2732 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including RandomRobbieBF, Ap0dexMe0, ThatNotEasy. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits an authentication bypass vulnerability in the MStore API WordPress plugin (versions <= 3.9.2). The exploit fetches user IDs via the REST API and crafts a request to the vulnerable endpoint to bypass authentication and log in as any user.

Description

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Exploits (5)

nomisec WORKING POC 6 stars

by RandomRobbieBF · remote

https://github.com/RandomRobbieBF/CVE-2023-2732

View Code ZIP pw:eip

This repository contains a functional Python script that exploits an authentication bypass vulnerability in the MStore API WordPress plugin (versions <= 3.9.2). The exploit fetches user IDs via the REST API and crafts a request to the vulnerable endpoint to bypass authentication and log in as any user.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: MStore API WordPress plugin <= 3.9.2

No auth needed

Prerequisites: Target WordPress site with MStore API plugin <= 3.9.2 · Access to the REST API endpoints

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 2 stars

by Ap0dexMe0 · poc

https://github.com/Ap0dexMe0/CVE-2023-2732

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting the Mstore WordPress API vulnerability (CVE-2023-2732). It checks for the presence of the vulnerable plugin and attempts to identify potential exploitation paths, but does not include functional exploit code.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Mstore WordPress API plugin (versions below 3.9.3)

No auth needed

Prerequisites: target URL list · Python 3.7+ · requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 17, 2026 Full analysis →

nomisec SCANNER 2 stars

by ThatNotEasy · remote

https://github.com/ThatNotEasy/CVE-2023-2732

View Code ZIP pw:eip

The repository contains a Python-based scanner for detecting the presence of the Mstore WordPress API vulnerability (CVE-2023-2732). It checks for plugin installation, version, and potential exploitation paths but does not include functional exploit code.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: WordPress with Mstore API plugin

No auth needed

Prerequisites: Target URL list · Python 3.7+

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Jenderal92 · remote

https://github.com/Jenderal92/WP-CVE-2023-2732

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2023-2732, an authentication bypass vulnerability in WordPress. The script retrieves user IDs via the WP REST API and crafts a malicious request to bypass authentication, granting admin access.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress (specific version not specified)

No auth needed

Prerequisites: Target WordPress site with vulnerable REST API endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

inthewild SCANNER

poc

https://github.com/pari-malam/cve-2023-2732

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting the presence of the Mstore WordPress API plugin and checking for potential vulnerabilities. It does not include exploit code but scans for plugin installation and version information.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Mstore WordPress API plugin

No auth needed

Prerequisites: target URL list · Python 3.7+

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

MStore API <= 3.9.2 - Authentication Bypass

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.html:/wp-content/plugins/mstore-api/

FOFA: body=/wp-content/plugins/mstore-api/

References (3)

Core 3

Core References

Patch

https://plugins.trac.wordpress.org/browser/mstore-api/tags/3.9.0/controllers/listing-rest-api/class.api.fields.php#L1079

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2916124%40mstore-api&old=2915729%40mstore-api&sfp_email=&sfph_mail=#file58

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f00761a7-fe24-49a3-b3e3-a471e05815c1?source=cve

Scores

CVSS v3 9.8

EPSS 0.9149

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-05-06

CWE

CWE-288

Status published

Products (2)

inspireui/MStore API – Create Native Android & iOS Apps On The Cloud < 3.9.2

inspireui/mstore_api < 3.9.2

Published May 25, 2023

Tracked Since Feb 18, 2026