CVE-2024-6328 — AI Deep Analysis Summary

🚨 **Essence**: A critical authentication bypass in the MStore API plugin.…

🛡️ **Root Cause**: CWE-288 (Authentication Bypass). The flaw lies in the logic of `flutter-user.php` (lines 699-714), allowing unauthorized access to protected endpoints.

📦 **Affected**: WordPress Plugin **MStore API – Create Native Android & iOS Apps On The Cloud**. 🏢 **Vendor**: inspireui. ⚠️ **Version**: 4.14.7 and earlier.

💀 **Attacker Capabilities**: Since PR (Privileges Required) is NONE, anyone can exploit this. They can access sensitive user data, modify content, and potentially take over admin functions.

⚡ **Threshold**: VERY LOW. 🌐 Network Accessible (AV:N). Low Complexity (AC:L). No User Interaction needed (UI:N). No authentication required (PR:N). Easy to exploit!

🔍 **Exploit Status**: No public PoC code listed in the data. However, the CVSS score is 9.8 (Critical), implying high exploitability. Wild exploitation is likely given the low barrier.

🔎 **Self-Check**: Scan for the plugin **MStore API** version ≤ 4.14.7. Check if endpoints in `controllers/flutter-user.php` are accessible without valid tokens/cookies.

✅ **Fix**: Yes, an official fix exists. Update to the latest version via WordPress Trac (Changeset 3115231). Patch addresses the bypass in the user controller.

🚧 **No Patch?**: Isolate the plugin. Restrict access to `/wp-admin` and API endpoints via WAF rules. Block direct access to `flutter-user.php` if possible. Disable the plugin temporarily.

🔥 **Urgency**: CRITICAL. 🚨 CVSS 9.8. Published July 2024. Immediate patching is required to prevent unauthorized access and data breaches.