Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
Published: 2026-03-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to vendor-level access
Action: Immediate Patch
AI Analysis

Impact

The App Builder plugin for WordPress has a privilege escalation flaw that allows anyone to register a user with vendor rights without authentication. By sending a 'role' parameter in the register REST endpoint, an attacker can create a user assigned the wcfm_vendor role, bypassing the WCFM Marketplace vendor approval process. This grants immediate vendor-level capabilities, including product management, order access, and store control, potentially exposing sensitive data and altering store configuration.

Affected Systems

The vulnerability affects the App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress, all releases up to and including version 5.5.10 installed on sites that also run the WCFM Marketplace plugin. No other products or versions are known to be impacted.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity. Although EPSS data is unavailable and the issue is not in CISA’s KEV catalog, the attack vector is unauthenticated and relies on a standard REST API call, making exploitation straightforward for anyone with network access to the site. Organizations that host e‑commerce shops with WCFM Marketplace should treat this as an urgent risk until the plugin is updated or alternative controls are applied.

Generated by OpenCVE AI on March 21, 2026 at 06:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the App Builder plugin to the latest stable release (greater than 5.5.10).
  • If an immediate update is not possible, disable the plugin or restrict access to the /wp-json/app-builder/v1/register endpoint so that only authenticated users can register.
  • Verify that the WCFM Marketplace vendor approval workflow is enabled and that no other user registration methods can assign the wcfm_vendor role.
  • Regularly review user accounts and remove any unintended vendor accounts created during the vulnerability period.

Generated by OpenCVE AI on March 21, 2026 at 06:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Appcheap
Appcheap app Builder – Create Native Android & Ios Apps On The Flight
Wordpress
Wordpress wordpress
Vendors & Products Appcheap
Appcheap app Builder – Create Native Android & Ios Apps On The Flight
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
Title App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Appcheap App Builder – Create Native Android & Ios Apps On The Flight
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:38.336Z

Reserved: 2026-02-11T20:55:16.297Z

Link: CVE-2026-2375

cve-icon Vulnrichment

Updated: 2026-03-24T13:44:34.158Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:58.727

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:38Z

Weaknesses