The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mstore_api | Inspireui | * | 3.9.6 (including) |