The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.
CVE-2026-3568 is a medium severity with CVSS 4.3 Authorization Bypass issue affecting the Plugin MStore API – Create Native Android & iOS Apps On The Cloud. It affects Versions up to 4.18.3 and is fixed in 4.18.4.
CVE-2026-3568 is tracked for the Plugin MStore API – Create Native Android & iOS Apps On The Cloud as medium severity with CVSS 4.3. The affected range is Versions up to 4.18.3. Update MStore API – Create Native Android & iOS Apps On The Cloud to 4.18.4 or newer where that version is compatible with the site.
| Software Type | Plugin |
|---|---|
| Software Slug |
mstore-api
View on wordpress.org
|
| CVE | CVE-2026-3568 |
| Patched Versions |
4.18.4
|
| Affected Versions |
Versions up to 4.18.3
|
These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.
MStore API – Create Native Android & iOS Apps On The Cloud <= 4.14.7 - Authentication Bypass
MStore API <= 4.0.1 - Unauthenticated SQL Injection
MStore API <= 3.9.7 - Unauthenticated SQL Injection
MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
MStore API <= 3.9.7 - Unauthenticated SQL Injection
MStore API <= 3.9.8 - Unauthenticated Privilege Escalation
MStore API <= 3.9.2 - Authentication Bypass
MStore API <= 3.9.1 - Authentication Bypass
This record contains material that is subject to copyright
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more
License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more
