CVE-2020-36713 in MStore API Plugin
Summary
by MITRE • 06/07/2023
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2020-36713 affects the MStore API plugin for WordPress, representing a critical authentication bypass flaw that has been present in versions up to and including 2.1.5. This vulnerability stems from improper access control mechanisms within the plugin's API endpoints, specifically exposing the register and update_user_profile routes without adequate authentication checks. The flaw allows malicious actors to exploit these unrestricted routes to manipulate user accounts and gain unauthorized access to administrative privileges. The security implications are severe as the vulnerability directly undermines the fundamental authentication mechanisms that protect WordPress installations from unauthorized access and privilege escalation attempts.
The technical nature of this vulnerability aligns with CWE-284, which describes improper access control conditions where an attacker can gain access to resources or functionality that should be restricted. The MStore API plugin fails to implement proper authorization checks on its user management endpoints, creating a pathway for unauthenticated attackers to perform administrative operations. When attackers access the register endpoint, they can create new administrator accounts with full privileges, while the update_user_profile endpoint allows them to modify existing user accounts and potentially escalate their privileges to administrator level. This flaw essentially removes the authentication barrier that should prevent unauthorized users from performing critical administrative functions.
The operational impact of this vulnerability extends beyond simple account creation, as it provides attackers with comprehensive control over the affected WordPress installation. An attacker who exploits this vulnerability can not only create new administrator accounts but also delete existing administrator accounts, effectively removing legitimate access to the system. This capability enables attackers to maintain persistent access to the system and potentially cause significant damage through account manipulation, data theft, or system compromise. The vulnerability's exploitation requires minimal technical knowledge, making it particularly dangerous as it can be leveraged by attackers with varying skill levels to gain unauthorized administrative access to WordPress sites.
Mitigation strategies for this vulnerability must be implemented immediately to protect affected WordPress installations. The primary recommendation is to upgrade the MStore API plugin to version 2.1.6 or later, which includes the necessary authentication checks and access control improvements. Organizations should also implement network-level restrictions to limit access to the plugin's API endpoints, particularly those related to user management. Security monitoring should be enhanced to detect suspicious API access patterns and unauthorized user account modifications. Additionally, administrators should conduct thorough security audits of their WordPress installations to identify other potential vulnerabilities and ensure that all plugins and themes are running supported versions. The remediation process should include reviewing and tightening access controls for API endpoints, implementing proper authentication mechanisms, and establishing regular security patching procedures to prevent similar vulnerabilities from being introduced in the future. This vulnerability demonstrates the critical importance of proper access control implementation and the potential consequences of failing to validate user permissions on sensitive API endpoints.