{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2375", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T20:55:16.297Z", "datePublished": "2026-03-21T03:26:32.352Z", "dateUpdated": "2026-04-08T16:34:38.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:38.336Z"}, "affected": [{"vendor": "appcheap", "product": "App Builder \u2013 Create Native Android & iOS Apps On The Flight", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.5.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The App Builder \u2013 Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active."}], "title": "App Builder \u2013 Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a42786c1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/AuthTrails.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/RegisterAuth.php#L108"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gibran Abdillah"}], "timeline": [{"time": "2026-03-20T15:06:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:44:12.214006Z", "id": "CVE-2026-2375", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:44:38.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:44:12.214006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:44:34.158Z"}}], "cna": {"title": "App Builder \u2013 Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Gibran Abdillah"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "appcheap", "product": "App Builder \u2013 Create Native Android & iOS Apps On The Flight", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.5.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:06:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a42786c1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/AuthTrails.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/RegisterAuth.php#L108"}], "descriptions": [{"lang": "en", "value": "The App Builder \u2013 Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:38.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2375", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:38.336Z", "dateReserved": "2026-02-11T20:55:16.297Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:32.352Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The App Builder \u2013 Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active."}, {"lang": "es", "value": "El plugin App Builder \u2013 Create Native Android &amp; iOS Apps On The Flight para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.5.10, inclusive. Esto se debe a que la funci\u00f3n 'verify_role()' en 'AuthTrails.php' incluye expl\u00edcitamente el rol 'wcfm_vendor' junto con 'subscriber' y 'customer' en una lista blanca, y lo asigna directamente a trav\u00e9s de 'wp_insert_user()' sin integrarse con el flujo de trabajo de aprobaci\u00f3n de proveedores de WCFM Marketplace. Esto permite a atacantes no autenticados registrar una cuenta con el rol 'wcfm_vendor' al proporcionar el par\u00e1metro 'role' en el endpoint de la API REST '/wp-json/app-builder/v1/register', eludiendo el proceso est\u00e1ndar de aprobaci\u00f3n de proveedores de WCFM y obteniendo inmediatamente privilegios de nivel de proveedor (gesti\u00f3n de productos, acceso a pedidos, gesti\u00f3n de la tienda) en sitios donde WCFM Marketplace est\u00e1 activo."}], "id": "CVE-2026-2375", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:58.727", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/AuthTrails.php#L80"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/RegisterAuth.php#L108"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a42786c1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.5.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "App Builder \u2013 Create Native Android & iOS Apps On The Flight", "source": "cna", "vendor": "appcheap"}, "product": "app_builder_\u2013_create_native_android_&_ios_apps_on_the_flight", "vendor": "appcheap"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:41:27.705772+00:00", "value": {"mitigation_remediation": ["Update the App Builder plugin to the latest stable release (greater than 5.5.10).", "If an immediate update is not possible, disable the plugin or restrict access to the /wp-json/app-builder/v1/register endpoint so that only authenticated users can register.", "Verify that the WCFM Marketplace vendor approval workflow is enabled and that no other user registration methods can assign the wcfm_vendor role.", "Regularly review user accounts and remove any unintended vendor accounts created during the vulnerability period."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to vendor-level access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the App Builder \u2013 Create Native Android & iOS Apps On The Flight plugin for WordPress, all releases up to and including version\u00a05.5.10 installed on sites that also run the WCFM Marketplace plugin. No other products or versions are known to be impacted.", "description_and_impact": "The App Builder plugin for WordPress has a privilege escalation flaw that allows anyone to register a user with vendor rights without authentication. By sending a 'role' parameter in the register REST endpoint, an attacker can create a user assigned the wcfm_vendor role, bypassing the WCFM Marketplace vendor approval process. This grants immediate vendor-level capabilities, including product management, order access, and store control, potentially exposing sensitive data and altering store configuration.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.5, indicating moderate severity. Although EPSS data is unavailable and the issue is not in CISA\u2019s KEV catalog, the attack vector is unauthenticated and relies on a standard REST API call, making exploitation straightforward for anyone with network access to the site. Organizations that host e\u2011commerce shops with WCFM Marketplace should treat this as an urgent risk until the plugin is updated or alternative controls are applied."}}}}, "created": "2026-03-23T09:51:03.078163+00:00", "updated": "2026-03-25T14:42:38.485212+00:00", "vendors": ["appcheap", "appcheap$PRODUCT$app_builder_\u2013_create_native_android_&_ios_apps_on_the_flight", "wordpress", "wordpress$PRODUCT$wordpress"]}