A critical vulnerability has been identified in the Mstoreapp WordPress plugins, which allows an unauthenticated attacker to gain complete control over any user's account, including administrator accounts. By simply knowing a user's email address, an attacker can exploit this flaw to impersonate them, leading to potential data theft, website defacement, and further system compromise. Immediate patching is required to mitigate this severe risk.

The vulnerability exists due to an improper identity verification mechanism within an AJAX function of the affected plugins. An unauthenticated attacker can send a specially crafted request to this AJAX endpoint, providing the email address of a target user. The plugin fails to validate that the request is coming from an authenticated source, and incorrectly generates and returns a valid session token for the user associated with the provided email, effectively allowing the attacker to log in and take over the victim's account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows for a full account takeover of any registered user on the WordPress site, including high-privileged administrators. The business impact is severe and could include the theft of sensitive customer data (PII, order history), unauthorized modification of website content, financial fraud through compromised e-commerce accounts, and using the compromised website as a platform to launch further attacks. The reputational damage and potential regulatory fines resulting from a data breach would be significant.

Immediate Action: Immediately update the Mstoreapp Mobile App and Mstoreapp Mobile Multivendor plugins to the latest patched versions provided by the vendor. After patching, review access logs for any unusual login activity or unauthorized actions performed by user accounts prior to the update.

Proactive Monitoring:

• Monitor web server and WAF logs for anomalous POST requests to WordPress AJAX endpoints (/wp-admin/admin-ajax.php), specifically those related to the Mstoreapp plugins.
• Implement security audit logging within WordPress to track user login events, looking for successful logins from unusual IP addresses or multiple rapid login attempts for different users from a single source.
• Set up alerts for any unauthorized changes to administrative accounts or critical website settings.

Compensating Controls:

• If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) rule to block or flag requests targeting the specific vulnerable AJAX action.
• Temporarily disable the affected plugins until they can be safely updated. Note that this will impact functionality.
• Enforce multi-factor authentication (MFA) for all users, especially administrators, which may add a layer of protection against session token abuse.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. Due to the ease of exploitation and the potential for complete system compromise, immediate remediation is the top priority. All instances of the affected Mstoreapp plugins must be updated to a patched version without delay. While this CVE is not currently on the CISA KEV list, its critical nature makes it a strong candidate for future inclusion should widespread exploitation occur. Organizations should treat this with the highest urgency.