CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

May 2, 2025

CVE ID : CVE-2025-3438

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the ‘wcfm_vendor’ role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-3488 – WordPress WPML Stored Cross-Site Scripting Vulnerability

Next Article CVE-2025-3858 – WordPress Formality Plugin Stored Cross-Site Scripting Vulnerability

CodeSOD: A Unique Way to Primary Key

BrowserStack launches Figma plugin for detecting accessibility issues in design phase

Parasoft brings agentic AI to service virtualization in latest release

Node.js vs. Python for Backend: 7 Reasons C-Level Leaders Choose Node.js Talent

The best CRM software with email marketing in 2025: Expert tested and reviewed

This multi-port car charger can power 4 gadgets at once – and it’s surprisingly cheap

I’m a wearables editor and here are the 7 Pixel Watch 4 rumors I’m most curious about

8 ways I quickly leveled up my Linux skills – and you can too

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

Zero Trust & Cybersecurity Mesh: Your Org’s Survival Guide

Execute Ping Commands and Get Back Structured Data in PHP

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

“I don’t think I changed his mind” — NVIDIA CEO comments on H20 AI GPU sales resuming in China following a meeting with President Trump

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

CVE-2025-44658 – Netgear RAX30 PHP-FPM Misconfigured Extension Bypass Vulnerability

CVE-2025-7393 – Drupal Mail Login Authentication Bypass

CVE-2025-48965 – Mbed TLS NULL Pointer Dereference Vulnerability

Microsoft Tries to Fix EU Cloud Mess with New Offer to CISPE

Revisiting Uncertainty Quantification Evaluation in Language Models: Spurious Interactions with Response Length Bias Results

Write more reliable JavaScript with optional chaining

CVE-2025-5267 – “Firefox Clickjacking Payment Card Disclosure Vulnerability”

CVE-2025-4125 – Delta Electronics ISPSoft Out-Of-Bounds Write Vulnerability

CVE-2025-36539 – AVEVA PI Data Archive Denial of Service (DoS)

Blockchain-Powered Digital Twins: Driving Efficiency & Innovation in Operations

CVE-2025-3438 – WordPress WCFM Marketplace MStore API Privilege Escalation

Related Posts