Attack Vectors
CVE-2026-2375 is a Medium-severity privilege escalation issue (CVSS 6.5) affecting the WordPress plugin App Builder – Create Native Android & iOS Apps On The Flight (slug: app-builder) in all versions up to and including 5.5.10.
An attacker does not need to be logged in. By sending a crafted registration request to the plugin’s REST API endpoint (under /wp-json/...) and supplying a role parameter, an unauthenticated user may be able to create an account with elevated permissions associated with the wcfm_vendor role.
This matters most for organizations running multi-vendor or marketplace-style features (including environments that use WCFM Marketplace), because vendor accounts can often access store management, product publishing, and order-related functionality.
Security Weakness
The vulnerability stems from how the plugin validates and assigns user roles during registration. Specifically, the plugin’s verify_role() logic explicitly allows wcfm_vendor (alongside basic roles like subscriber and customer) and then assigns the requested role directly during user creation.
Because this role assignment does not integrate with WCFM Marketplace’s vendor approval workflow, the normal “review/approve vendor” business process can be bypassed. In practical terms, the system may treat a self-registered attacker as an approved vendor.
Remediation note: At the time of reporting, there is no known patch available. Risk decisions should account for your exposure (public registration enabled, REST API reachable, marketplace/vendor features enabled) and the business impact if vendor permissions are abused.
Technical or Business Impacts
If exploited, this issue can enable unauthorized creation of vendor-level accounts. Depending on your site configuration and marketplace setup, that can translate into the ability to publish products/content, modify listings, interact with customer orders, or access operational data intended for vetted partners.
Business risks commonly include brand damage (fraudulent listings or spam storefronts appearing on your domain), customer support and refund burden, potential revenue loss (malicious discounts, diversion tactics), and compliance concerns if order/customer data becomes accessible beyond approved parties.
Given the lack of a vendor-approval safeguard in the affected flow, organizations should consider mitigations aligned to risk tolerance, such as: disabling public registration if not required, restricting vendor-role creation to internal workflows only, limiting access to the plugin’s registration endpoint via WAF/rules where feasible, and—where acceptable—uninstalling and replacing the affected software until a patch is available.
Similar Attacks
Unauthenticated privilege escalation in WordPress plugins is a recurring pattern—often tied to insecure role assignment during registration or profile updates. A comparable example is CVE-2023-3460 (Ultimate Member – unauthenticated privilege escalation), where attackers could gain elevated access by abusing plugin-side authorization and role handling.
For reference and ongoing tracking of this specific issue, see the official record: CVE-2026-2375 and the research source: Wordfence vulnerability report.
Recent Comments