CVE-2026-3568 | inspireui MStore API Plugin up to 4.18.3 on WordPress flutter-user.php update_user_profile meta_data authorization

VDB-356499 · CVE-2026-3568 · GCVE-0-2026-3568 INSPIREUI MSTORE API PLUGIN UP TO 4.18.3 ON WORDPRESS FLUTTER-USER.PHP UPDATE_USER_PROFILE META_DATA AUTHORIZATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.2 $0-$5k 1.06+ Summaryinfo A vulnerability has been found in inspireui MStore API Plugin up to 4.18.3 on WordPress and classified as critical. Affected by this vulnerability is the function update_user_profile of the file controllers/flutter-user.php. Performing a manipulation of the argument meta_data results in authorization. This vulnerability is cataloged as CVE-2026-3568. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded. Detailsinfo A vulnerability classified as critical has been found in inspireui MStore API Plugin up to 4.18.3 on WordPress. This affects the function update_user_profile of the file controllers/flutter-user.php. The manipulation of the argument meta_data with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is: The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable. The weakness was shared by Osvaldo Noe Gonzalez Del Rio. It is possible to read the advisory at wordfence.com. This vulnerability is uniquely identified as CVE-2026-3568 since 03/04/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit. By approaching the search of inurl:controllers/flutter-user.php it is possible to find vulnerable targets with Google Hacking. Upgrading to version 4.18.3 eliminates this vulnerability. Productinfo Type WordPress Plugin Vendor inspireui Name MStore API Plugin Version 4.18.0 4.18.1 4.18.2 4.18.3 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.3 VulDB Meta Temp Score: 5.2 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 4.3 CNA Vector (Wordfence): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Authorization CWE: CWE-639 / CWE-285 / CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: MStore API Plugin 4.18.3 Timelineinfo 03/04/2026 CVE reserved 04/09/2026 +35 days Advisory disclosed 04/09/2026 +0 days VulDB entry created 04/09/2026 +0 days VulDB entry last update Sourcesinfo Advisory: wordfence.com Researcher: Osvaldo Noe Gonzalez Del Rio Status: Confirmed CVE: CVE-2026-3568 (🔒) GCVE (CVE): GCVE-0-2026-3568 GCVE (VulDB): GCVE-100-356499 Entryinfo Created: 04/09/2026 08:09 Changes: 04/09/2026 08:09 (68) Complete: 🔍 Cache ID: 99:B71:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸