CVE-2025-13029
Authorization Bypass in Knowband Mobile App Builder Plugin Allows User Deletion
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| knowband | mobile_app_builder | 3.0.0 |
| woocommerce | woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the Knowband Mobile App Builder for WooCommerce plugin versions prior to 3.0.0. It occurs because the plugin does not perform proper authorization checks when deleting users via its REST API. As a result, unauthenticated attackers can delete arbitrary users from the WordPress site without permission. This is classified as a Missing Authorization issue (CWE-862) and relates to Broken Access Control (OWASP Top 10 category A5). [1]
How can this vulnerability impact me? :
The vulnerability can have a severe impact by allowing unauthenticated attackers to delete any user account on the affected WordPress site. This can lead to loss of user data, disruption of site operations, potential denial of service for legitimate users, and compromise of site integrity. Since user accounts can be arbitrarily deleted, it can severely affect the site's functionality and trustworthiness. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress site has the Knowband Mobile App Builder plugin installed with a version prior to 3.0.0 and if the WooCommerce plugin is active. To verify the plugin version, you can use WP-CLI commands such as `wp plugin list` to list installed plugins and their versions. Additionally, monitoring REST API requests for unauthorized DELETE user actions could indicate exploitation attempts. Specific commands include: `wp plugin list | grep mobile-app-builder` to check the plugin version, and reviewing web server logs or using tools like curl to test unauthorized DELETE requests to the REST API endpoints related to user deletion. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Knowband Mobile App Builder plugin to version 3.0.0 or later, where the authorization issue has been fixed. Additionally, ensure that only trusted users have access to the WordPress admin area and consider temporarily disabling the REST API user deletion endpoints if possible until the update is applied. [1]