CVE-2026-7638
Insecure Direct Object Reference in App Builder WordPress Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| app_builder | plugin | to 5.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the App Builder β Create Native Android & iOS Apps On The Flight plugin for WordPress, affecting all versions up to and including 5.6.0.
It is an Insecure Direct Object Reference (IDOR) issue caused by missing authorization validation in the `upload_avatar()` function.
This function accepts a `user_id` parameter from the POST request body and uses it to update user meta without verifying if the requester has permission to modify the target account.
As a result, authenticated attackers with Subscriber-level access or higher can overwrite the profile avatar of any user on the site, including administrators, by supplying a target `user_id` in the request to the `/wp-json/app-builder/v1/upload-avatar` endpoint.
How can this vulnerability impact me? :
This vulnerability allows an attacker with at least Subscriber-level access to change the profile avatar of any user on the WordPress site, including administrators.
While it does not directly affect confidentiality or availability, it can be used to impersonate users or cause confusion by altering user profile images.
Such unauthorized modifications could potentially be leveraged in social engineering attacks or to undermine trust in user identities on the site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the endpoint /wp-json/app-builder/v1/upload-avatar that include a user_id parameter in the request body. Anomalous or unauthorized attempts to modify user avatars, especially targeting administrator accounts, may indicate exploitation attempts.
You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like curl or grep on server logs to find suspicious POST requests:
- grep 'POST /wp-json/app-builder/v1/upload-avatar' /var/log/apache2/access.log
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'upload-avatar'
- curl -X POST https://example.com/wp-json/app-builder/v1/upload-avatar -d 'user_id=TARGET_USER_ID&avatar=...' -H 'Authorization: Bearer <token>'
These commands help identify or simulate requests that could exploit the vulnerability by specifying arbitrary user_id values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the App Builder plugin to a version later than 5.6.0 where the vulnerability is fixed.
If an update is not immediately possible, restrict access to the /wp-json/app-builder/v1/upload-avatar endpoint to trusted users only, for example by applying firewall rules or web application firewall (WAF) rules.
Additionally, monitor logs for suspicious POST requests to this endpoint and review user permissions to ensure that only trusted users have Subscriber-level access or higher.
Consider temporarily disabling the plugin if the risk is high and no patch is available.