Description
Missing Authorization vulnerability in App Cheap App Builder app-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App Builder: from n/a through <= 5.5.6.
Published: 2025-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to bypass the normal access controls of the App Builder plugin. The flaw stems from incorrectly configured security levels, enabling an unauthenticated or improperly privileged user to read or modify protected content, settings, or other resources. The weakness is identified as CWE‑862, indicating that the application does not correctly enforce authorization checks.

Affected Systems

The affected product is the WordPress App Builder plugin developed by App Cheap. All releases up to and including version 5.5.6 are vulnerable. No earlier versions are listed as fixed, so any site running these builds should be considered at risk until a newer release is available.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity level, while the EPSS score of less than 1 % signals a low probability of exploitation in the wild. The flaw is not recorded in the CISA KEV catalog, reducing the likelihood of widespread, targeted attacks. The likely attack vector is remote, via crafted web requests to the WordPress site that hosts the plugin. An attacker with the ability to send such requests can exploit the missing checks to gain unauthorized access.

Generated by OpenCVE AI on May 1, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the App Builder plugin to a version newer than 5.5.6.
  • If an update cannot be applied immediately, disable or uninstall the plugin to remove the vulnerable functionality.
  • Review and enforce correct role and permission settings for all WordPress users to ensure proper authorization mechanisms are in place.

Generated by OpenCVE AI on May 1, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28342 Missing Authorization vulnerability in App Cheap App Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects App Builder: from n/a through 5.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in App Cheap App Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects App Builder: from n/a through 5.5.3. Missing Authorization vulnerability in App Cheap App Builder app-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App Builder: from n/a through <= 5.5.6.
Title WordPress App Builder plugin <= 5.5.3 - Broken Access Control Vulnerability WordPress App Builder plugin <= 5.5.6 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 23 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in App Cheap App Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects App Builder: from n/a through 5.5.3.
Title WordPress App Builder plugin <= 5.5.3 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:15.332Z

Reserved: 2025-06-11T16:07:56.073Z

Link: CVE-2025-49989

cve-icon Vulnrichment

Updated: 2025-06-23T17:15:10.751Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:25.027

Modified: 2026-04-23T15:31:56.063

Link: CVE-2025-49989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses