CVE-2026-2375
Received Received - Intake
Privilege Escalation in App Builder Plugin via Role Bypass

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-05-07
AI Q&A
2026-03-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2375
EUVD
EUVD-2026-14012
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
app_builder plugin to 5.5.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 5.5.10. This occurs because the function verify_role() in the AuthTrails.php file explicitly whitelists the wcfm_vendor role along with subscriber and customer roles. When a new user is created via wp_insert_user(), the wcfm_vendor role is assigned directly without going through the WCFM Marketplace's vendor approval workflow.

As a result, an unauthenticated attacker can register an account with the wcfm_vendor role by supplying the role parameter in the /wp-json/app-builder/v1/register REST API endpoint. This bypasses the normal vendor approval process and immediately grants the attacker vendor-level privileges such as product management, order access, and store management on sites using WCFM Marketplace.


How can this vulnerability impact me? :

This vulnerability allows an unauthenticated attacker to gain vendor-level privileges on a WordPress site using the affected plugin and WCFM Marketplace. The attacker can manage products, access orders, and control store settings without approval.

Such unauthorized access can lead to unauthorized changes to product listings, manipulation of orders, potential data exposure, and disruption of normal store operations, which can harm the business and its customers.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart