Introduction
An unauthenticated arbitrary file upload vulnerability in the WordPress MStore API plugin allows any remote attacker to upload and execute PHP code on the server without credentials. With a public exploit available since October 2021 and no authentication required, this is a straightforward path to full server compromise for any of the roughly 3,000 WordPress sites running vulnerable versions.
The MStore API plugin, developed by InspireUI, acts as a bridge between WordPress WooCommerce stores and native mobile applications built with the FluxBuilder platform. It exposes product, user, and order data via REST API endpoints to power mobile storefronts. While its install base of approximately 3,000 active sites is modest, each installation typically represents an e-commerce operation handling customer data and payment information.
Technical Information
Root Cause: Missing Authentication (CWE-306)
The vulnerability is rooted in CWE-306, Missing Authentication for Critical Function. The MStore API plugin registers a REST API endpoint at /wp-json/api/flutter_woo/config_file that accepts file uploads via POST requests. This endpoint performs no authentication or authorization checks whatsoever. Any unauthenticated user can submit a file upload request, and the server will process and store the file.
Attack Flow
The exploitation process is straightforward and fully automatable:
-
Target Discovery: An attacker identifies WordPress sites running the MStore API plugin. The public exploit includes a Google Dork for this purpose:
inurl:/wp-content/plugins/mstore-api/. -
Crafted Upload Request: The attacker sends a POST request to the vulnerable endpoint, uploading a PHP webshell. The file is given a name like
config.json.phpand submitted with a content type ofapplication/jsonto bypass any superficial file type checks. -
Server Response: The server accepts the upload without authentication and returns the location of the stored file.
-
Code Execution: The attacker navigates to the uploaded PHP file's URL and executes arbitrary commands on the underlying server.
The public exploit by the author spacehen demonstrates the core of this attack:
rest_url = '/wp-json/api/flutter_woo/config_file' files = {'file' : ( "config.json.php", open(file_path), "application/json" )}
The naming convention config.json.php is deliberate. It uses a double extension to appear as a JSON configuration file while ensuring the web server interprets and executes it as PHP. The application/json content type further reinforces this disguise at the request level.
Impact
Successful exploitation grants the attacker remote code execution on the web server. From there, an attacker can read database credentials from wp-config.php, exfiltrate customer and order data, install persistent backdoors, pivot to other systems on the network, or use the compromised server for further attacks.
Affected Systems and Versions
The vulnerability affects MStore API version 2.0.6 and below. The current stable release of the plugin is version 4.18.4, tested up to WordPress 6.9.0, according to the WordPress plugin repository.
Any WordPress installation running MStore API 2.0.6 or earlier with the REST API accessible (which is the default WordPress configuration) is vulnerable. No special configuration is required to be exploitable.
Vendor Security History
InspireUI's MStore API plugin has a notable pattern of critical security issues, particularly around authentication and access control:
| Vulnerability Type | Affected Versions | Impact |
|---|---|---|
| Arbitrary File Upload (CVE-2021-47933) | 2.0.6 and below | Remote Code Execution |
| Authentication Bypass (CVE-2023-2732) | 3.9.2 and below | Unauthorized Access |
| SQL Injection | Below 3.9.8 | Database Compromise |
| Privilege Escalation | 4.10.7 and below | Unauthorized Account Access |
The recurring nature of authentication and authorization failures across multiple versions suggests a systemic weakness in the plugin's security architecture. Administrators running this plugin should treat it as a high priority component for patch management and monitoring.



