MStore API – Create Native Android & iOS Apps On The Cloud

Vulnerabilities 38Slug mstore-apiLatest version 4.18.4WordPress.org →

Minimum safe version

4.18.4

Update to 4.18.4 or later to address 37 fixable vulnerabilities

Latest available4.18.4 ⚠ 1 vulnerability has no fix
Critical 9.8 Unfixed
2026-05-10≤ 2.0.6

CVE-2021-47933

CVEEUVD
N/A
2026-04-08< 4.18.4

MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

WordfenceCVE
Medium 4.3
2025-05-27< 4.17.6

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation

EUVDWordfenceCVE
Medium 6.5
2025-05-02< 4.17.5

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.4 - Unauthenticated Limited Privilege Escalation

EUVDWordfenceCVE
Medium 5.4
2024-12-26< 4.10.2

WordPress MStore API Plugin <= 4.10.1 is vulnerable to Cross Site Request Forgery (CSRF)

PatchstackCVEWordfenceWPScan
Low 3.5
2023-07-10< 3.9.7

CVE-2023-3209

CVEWPScan
Medium 4.3
2023-07-10< 3.9.7

CVE-2023-3131

CVE
N/A
2023-06-13< 3.9.6

WordPress MStore API Plugin < 3.9.6 is vulnerable to Broken Access Control

Patchstack
N/A
2023-06-12< 3.9.6

MStore API <= 3.9.6 - Missing Authorization

Wordfence
N/A
< 2.1.6

MStore API &lt; 2.1.6 - Unauthenticated Arbitrary Account Creation/Edition

WPScan
N/A
< 3.4.5

MStore API &lt; 3.4.5 - Unauthenticated PHP File Upload

WPScan
Critical 9.8
2023-06-07< 2.1.6

CVE-2020-36713

CVE
N/A
2020-03-11< 2.1.6

MStore API <= 2.1.5 - Authentication Bypass

Wordfence
N/A
2021-10-05< 3.4.5

MStore API < 3.4.5 - Arbitrary File Upload

Wordfence
N/A
2020-03-11< 2.1.6

WordPress MStore API plugin <= 2.1.5 - Unauthenticated Account Create/Edit vulnerability

Patchstack
N/A
2021-02-02< 3.2.0

WordPress MStore API plugin <= 3.1.9 - Bypass vulnerability in Apple login authentication method

Patchstack