CVE-2026-7638
Deferred Deferred - Pending Action
Insecure Direct Object Reference in App Builder WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7638
EUVD
EUVD-2026-26732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
app_builder plugin to 5.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress, affecting all versions up to and including 5.6.0.

It is an Insecure Direct Object Reference (IDOR) issue caused by missing authorization validation in the `upload_avatar()` function.

This function accepts a `user_id` parameter from the POST request body and uses it to update user meta without verifying if the requester has permission to modify the target account.

As a result, authenticated attackers with Subscriber-level access or higher can overwrite the profile avatar of any user on the site, including administrators, by supplying a target `user_id` in the request to the `/wp-json/app-builder/v1/upload-avatar` endpoint.

Impact Analysis

This vulnerability allows an attacker with at least Subscriber-level access to change the profile avatar of any user on the WordPress site, including administrators.

While it does not directly affect confidentiality or availability, it can be used to impersonate users or cause confusion by altering user profile images.

Such unauthorized modifications could potentially be leveraged in social engineering attacks or to undermine trust in user identities on the site.

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the endpoint /wp-json/app-builder/v1/upload-avatar that include a user_id parameter in the request body. Anomalous or unauthorized attempts to modify user avatars, especially targeting administrator accounts, may indicate exploitation attempts.

You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like curl or grep on server logs to find suspicious POST requests:

  • grep 'POST /wp-json/app-builder/v1/upload-avatar' /var/log/apache2/access.log
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'upload-avatar'
  • curl -X POST https://example.com/wp-json/app-builder/v1/upload-avatar -d 'user_id=TARGET_USER_ID&avatar=...' -H 'Authorization: Bearer <token>'

These commands help identify or simulate requests that could exploit the vulnerability by specifying arbitrary user_id values.

Mitigation Strategies

Immediate mitigation steps include updating the App Builder plugin to a version later than 5.6.0 where the vulnerability is fixed.

If an update is not immediately possible, restrict access to the /wp-json/app-builder/v1/upload-avatar endpoint to trusted users only, for example by applying firewall rules or web application firewall (WAF) rules.

Additionally, monitor logs for suspicious POST requests to this endpoint and review user permissions to ensure that only trusted users have Subscriber-level access or higher.

Consider temporarily disabling the plugin if the risk is high and no patch is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart