CVE-2025-11127
Published: 21 November 2025
Summary
CVE-2025-11127 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2025-11127 is a critical authentication bypass vulnerability affecting the Mstoreapp Mobile App WordPress plugin through version 2.08 and the Mstoreapp Mobile Multivendor plugin through version 9.0.1. These plugins fail to properly verify user identity during an AJAX action, enabling attackers to obtain a valid session token for any arbitrary user account simply by knowing the target's email address. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of affected user sessions.
Unauthenticated attackers with network access can exploit this flaw remotely with low complexity and no user interaction required. By submitting a crafted AJAX request with a known email address, an attacker can retrieve an active session for that user, potentially granting full access to their account privileges, including administrative capabilities if targeting an admin user. This could lead to unauthorized data access, account takeover, and further site compromise.
The WPScan advisory at https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/ provides additional details on the vulnerability, including potential mitigation steps such as updating to patched versions where available or disabling the affected AJAX endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198490
Vulnerability details
The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email…
more
address.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing WordPress plugin (T1190) to bypass authentication and steal valid user session tokens (T1539).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, testing, and timely installation of patches for the vulnerable WordPress plugins.
Enforces approved authorizations on AJAX endpoints to prevent unauthenticated users from retrieving valid sessions for arbitrary accounts.
Requires proper identification and authentication of users before allowing access to session tokens via the flawed AJAX action.