CVE-2025-11127 | The Mstoreapp Mobile App WordPress plugin through 2.08 and M… | CVSS 9.8 CRITICAL

Description

The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.

Metadata

CVE ID: CVE-2025-11127
State: PUBLISHED
Assigner: WPScan
Reserved: 2025-09-27 19:41 UTC
Published: 2025-11-21 13:41 UTC
Last updated: 2025-11-21 14:23 UTC
Vendor / Product: Unknown / Mstoreapp Mobile App
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (2)

Vendor	Product	Platform	Versions
Unknown	Mstoreapp Mobile App	—	0 ≤ 2.0.8
Unknown	Mstoreapp Mobile Multivendor	—	0 ≤ 9.0.1

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-639 Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/