CVE-2026-2375

Received Received - Intake

Privilege Escalation in App Builder Plugin via Role Bypass

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-21

Last Modified

2026-03-21

Generated

2026-06-16

AI Q&A

2026-03-21

EPSS Evaluated

2026-06-15

NVD

CVE-2026-2375

EUVD

EUVD-2026-14012

Affected Vendors & Products

Vendor	Product	Version / Range
app_builder	plugin	to 5.5.10 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-269	The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

Executive Summary

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 5.5.10. This occurs because the function verify_role() in the AuthTrails.php file explicitly whitelists the wcfm_vendor role along with subscriber and customer roles. When a new user is created via wp_insert_user(), the wcfm_vendor role is assigned directly without going through the WCFM Marketplace's vendor approval workflow.

As a result, an unauthenticated attacker can register an account with the wcfm_vendor role by supplying the role parameter in the /wp-json/app-builder/v1/register REST API endpoint. This bypasses the normal vendor approval process and immediately grants the attacker vendor-level privileges such as product management, order access, and store management on sites using WCFM Marketplace.

Impact Analysis

This vulnerability allows an unauthenticated attacker to gain vendor-level privileges on a WordPress site using the affected plugin and WCFM Marketplace. The attacker can manage products, access orders, and control store settings without approval.

Such unauthorized access can lead to unauthorized changes to product listings, manipulation of orders, potential data exposure, and disruption of normal store operations, which can harm the business and its customers.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-2375. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-2375

Privilege Escalation in App Builder Plugin via Role Bypass

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart