CVE-2024-12042

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-12042
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/mstore-api/trunk/functions/index.php#790 Product
https://plugins.trac.wordpress.org/changeset/3205338/mstore-api/trunk/functions/index.php Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*
History

22 May 2025, 14:33

Type Values Removed Values Added
Summary
  • (es) El complemento MStore API – Create Native Android & iOS Apps On The Cloud para WordPress es vulnerable a Cross-Site Scripting almacenado a través de la función de carga de imágenes de perfil en todas las versiones hasta la 4.16.4 incluida, debido a una validación insuficiente del tipo de archivo. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, carguen archivos HTML con web scripts arbitrarios que se ejecutarán siempre que un usuario acceda al archivo.
References () https://plugins.trac.wordpress.org/browser/mstore-api/trunk/functions/index.php#790 - () https://plugins.trac.wordpress.org/browser/mstore-api/trunk/functions/index.php#790 - Product
References () https://plugins.trac.wordpress.org/changeset/3205338/mstore-api/trunk/functions/index.php - () https://plugins.trac.wordpress.org/changeset/3205338/mstore-api/trunk/functions/index.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/af468138-c10a-4f9b-b714-0425d52f0210?source=cve - Third Party Advisory
First Time Inspireui
Inspireui mstore Api
CWE CWE-79
CPE cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*

13 Dec 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-13 09:15

Updated : 2025-05-22 14:33

NVD link : CVE-2024-12042

Mitre link : CVE-2024-12042

CVE.ORG link : CVE-2024-12042

JSON object : View

Products Affected

inspireui

  • mstore_api
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')