CVE-2025-13029
Unknown Unknown - Not Provided
Authorization Bypass in Knowband Mobile App Builder Plugin Allows User Deletion

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: WPScan

Description
The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13029
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
knowband mobile_app_builder 3.0.0
woocommerce woocommerce *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Knowband Mobile App Builder for WooCommerce plugin versions prior to 3.0.0. It occurs because the plugin does not perform proper authorization checks when deleting users via its REST API. As a result, unauthenticated attackers can delete arbitrary users from the WordPress site without permission. This is classified as a Missing Authorization issue (CWE-862) and relates to Broken Access Control (OWASP Top 10 category A5). [1]

Impact Analysis

The vulnerability can have a severe impact by allowing unauthenticated attackers to delete any user account on the affected WordPress site. This can lead to loss of user data, disruption of site operations, potential denial of service for legitimate users, and compromise of site integrity. Since user accounts can be arbitrarily deleted, it can severely affect the site's functionality and trustworthiness. [1]

Detection Guidance

You can detect this vulnerability by checking if your WordPress site has the Knowband Mobile App Builder plugin installed with a version prior to 3.0.0 and if the WooCommerce plugin is active. To verify the plugin version, you can use WP-CLI commands such as `wp plugin list` to list installed plugins and their versions. Additionally, monitoring REST API requests for unauthorized DELETE user actions could indicate exploitation attempts. Specific commands include: `wp plugin list | grep mobile-app-builder` to check the plugin version, and reviewing web server logs or using tools like curl to test unauthorized DELETE requests to the REST API endpoints related to user deletion. [1]

Mitigation Strategies

The immediate mitigation step is to update the Knowband Mobile App Builder plugin to version 3.0.0 or later, where the authorization issue has been fixed. Additionally, ensure that only trusted users have access to the WordPress admin area and consider temporarily disabling the REST API user deletion endpoints if possible until the update is applied. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart