CVE-2026-2375 in App Builder Plugin
Summary
by MITRE • 03/21/2026
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability described in CVE-2026-2375 represents a critical privilege escalation flaw within the App Builder plugin for WordPress, specifically affecting versions through 5.5.10. This issue arises from a fundamental misconfiguration in the authentication and authorization mechanisms that govern user role assignment within the plugin's REST API endpoint. The vulnerability directly impacts WordPress installations that also utilize the WCFM Marketplace plugin, creating a dangerous intersection where standard security controls are bypassed through a simple parameter manipulation.
The technical flaw exists within the `verify_role()` function located in the `AuthTrails.php` file, which demonstrates a clear violation of the principle of least privilege and proper access control implementation. The function explicitly whitelists the `wcfm_vendor` role alongside more restricted roles like `subscriber` and `customer`, creating an unintended pathway for privilege escalation. This design flaw allows attackers to directly assign the `wcfm_vendor` role during user registration through the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing all standard vendor approval workflows that should normally be enforced by the WCFM Marketplace plugin.
The operational impact of this vulnerability is severe and multifaceted, particularly for e-commerce WordPress installations that rely on WCFM Marketplace for multi-vendor functionality. An unauthenticated attacker who successfully exploits this vulnerability gains immediate vendor-level privileges, which include comprehensive access to product management capabilities, order processing rights, and store management features. This level of access effectively transforms a regular user account into a full vendor account with the ability to modify product listings, process orders, and manage store operations without any oversight or approval from the site administrators. The implications extend beyond simple privilege escalation to include potential data manipulation, financial transaction interference, and unauthorized access to sensitive business information.
This vulnerability aligns with CWE-276, which addresses improper privilege management, and represents a clear violation of the ATT&CK technique T1078.004, which covers legitimate credentials for unauthorized access. The flaw essentially creates a backdoor mechanism that allows attackers to bypass the intended security architecture of the WCFM Marketplace plugin, which is designed to require vendor approval and verification before granting administrative privileges. The issue also demonstrates characteristics of improper input validation, as the REST API endpoint fails to properly validate or sanitize the role parameter before assignment, making it susceptible to manipulation by malicious actors.
Organizations affected by this vulnerability should immediately implement mitigations including patching to the latest version of the App Builder plugin, implementing additional authentication controls for REST API endpoints, and monitoring for unauthorized vendor account creation. The recommended approach involves restricting access to the `/wp-json/app-builder/v1/register` endpoint through firewall rules, implementing rate limiting for registration attempts, and ensuring that role assignment through API calls is properly validated against the existing user approval workflows. Additionally, site administrators should conduct thorough audits of existing vendor accounts to identify any unauthorized access that may have occurred during the vulnerability window, and consider implementing additional security layers such as two-factor authentication for vendor accounts and enhanced monitoring of user registration activities.