Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with Subscriber or higher privileges to modify any user’s avatar by sending a manipulated user_id parameter to the plugin’s upload-avatar endpoint. This creates a potential for account impersonation, phishing attacks, or defacement of administrator profiles, compromising the integrity of user identities. The flaw arises from a missing authorization check in the upload_avatar function, which updates user meta based solely on the supplied user_id.

Affected Systems

Apps created with Appcheap’s App Builder – Create Native Android & iOS Apps On The Flight WordPress plugin, all versions up to and including 5.6.0, are affected. The issue is present in the core code where avatar uploads are processed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the exploitability depends on the attacker’s credentials; the EPSS score is not available and the vulnerability is not catalogued in KEV. Attackers must be authenticated as a Subscriber or higher, then issue a POST request to the /wp-json/app-builder/v1/upload-avatar route with a crafted user_id. No additional privileges or system wide access are required beyond these credentials. Because the attack vector is limited to logged-in users, the practical risk is moderated but still significant for sites with many subscriber users.

Generated by OpenCVE AI on May 2, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the App Builder plugin to a version newer than 5.6.0, where the authorization check has been restored.
  • As a temporary workaround, disable or protect the /wp-json/app-builder/v1/upload-avatar REST endpoint from users without administrative roles.
  • Review user role assignments to ensure that only trusted accounts hold Subscriber or higher privileges, and consider reducing the number of users with such roles or removing the capability to change avatars.

Generated by OpenCVE AI on May 2, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Appcheap
Appcheap app Builder – Create Native Android & Ios Apps On The Flight
Wordpress
Wordpress wordpress
Vendors & Products Appcheap
Appcheap app Builder – Create Native Android & Ios Apps On The Flight
Wordpress
Wordpress wordpress

Sat, 02 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.
Title App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Appcheap App Builder – Create Native Android & Ios Apps On The Flight
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T03:36:42.852Z

Reserved: 2026-05-01T15:32:16.078Z

Link: CVE-2026-7638

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T04:16:23.927

Modified: 2026-05-02T04:16:23.927

Link: CVE-2026-7638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses