Cyber Posture

CVE-2025-11127

Critical

Published: 21 November 2025

Published
21 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email…

more

address.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, reporting, testing, and timely installation of patches for the vulnerable WordPress plugins.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations on AJAX endpoints to prevent unauthenticated users from retrieving valid sessions for arbitrary accounts.

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Requires proper identification and authentication of users before allowing access to session tokens via the flawed AJAX action.

Security SummaryAI

CVE-2025-11127 is a critical authentication bypass vulnerability affecting the Mstoreapp Mobile App WordPress plugin through version 2.08 and the Mstoreapp Mobile Multivendor plugin through version 9.0.1. These plugins fail to properly verify user identity during an AJAX action, enabling attackers to obtain a valid session token for any arbitrary user account simply by knowing the target's email address. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of affected user sessions.

Unauthenticated attackers with network access can exploit this flaw remotely with low complexity and no user interaction required. By submitting a crafted AJAX request with a known email address, an attacker can retrieve an active session for that user, potentially granting full access to their account privileges, including administrative capabilities if targeting an admin user. This could lead to unauthorized data access, account takeover, and further site compromise.

The WPScan advisory at https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/ provides additional details on the vulnerability, including potential mitigation steps such as updating to patched versions where available or disabling the affected AJAX endpoints.

Details

CWE(s)
None listed

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing WordPress plugin (T1190) to bypass authentication and steal valid user session tokens (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References