CVE-2026-2375 Overview
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress contains a Privilege Escalation vulnerability in all versions up to and including 5.5.10. The vulnerability exists due to improper role validation in the verify_role() function within AuthTrails.php, which explicitly whitelists the wcfm_vendor role alongside subscriber and customer roles. This allows unauthenticated attackers to register accounts with elevated vendor-level privileges by exploiting the REST API registration endpoint.
Critical Impact
Unauthenticated attackers can bypass WCFM Marketplace's vendor approval workflow and immediately gain vendor-level privileges including product management, order access, and store management capabilities.
Affected Products
- App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress versions ≤ 5.5.10
- WordPress sites with WCFM Marketplace plugin active
- Sites exposing the /wp-json/app-builder/v1/register REST API endpoint
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-2375 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-2375
Vulnerability Analysis
This Privilege Escalation vulnerability (CWE-269: Improper Privilege Management) stems from a design flaw in how the App Builder plugin handles user role assignment during registration. The verify_role() function in AuthTrails.php maintains a hardcoded whitelist of acceptable roles that includes wcfm_vendor, subscriber, and customer. When a registration request is processed through the REST API endpoint, the plugin directly assigns the user-supplied role via wp_insert_user() without verifying whether the role assignment should require additional authorization workflows.
On sites where WCFM Marketplace is installed and active, this creates a significant security gap. The WCFM Marketplace plugin implements a vendor approval workflow designed to vet potential vendors before granting them marketplace privileges. However, the App Builder plugin's registration mechanism completely bypasses this approval process, allowing anyone to instantly become a vendor with full capabilities.
Root Cause
The root cause lies in the explicit whitelisting of the wcfm_vendor role in the verify_role() function without integrating with WCFM Marketplace's vendor approval workflow. The plugin directly calls wp_insert_user() with the attacker-controlled role parameter, creating the user account with vendor privileges immediately upon registration. This implementation fails to respect the separation of concerns between basic WordPress user registration and marketplace-specific vendor onboarding processes.
Attack Vector
The attack is executed over the network through the WordPress REST API. An unauthenticated attacker can send a crafted POST request to the /wp-json/app-builder/v1/register endpoint with the role parameter set to wcfm_vendor. The server processes this request through the RegisterAuth.php handler, which passes the role to verify_role() for validation. Since wcfm_vendor is whitelisted, the validation passes, and the new user account is created with full vendor privileges.
Upon successful exploitation, the attacker gains immediate access to vendor dashboard functionality including the ability to create and manage product listings, view customer orders and sensitive order information, manage their virtual storefront, and potentially access financial data depending on the marketplace configuration.
Detection Methods for CVE-2026-2375
Indicators of Compromise
- Unusual user registrations with the wcfm_vendor role that bypassed the normal vendor approval queue
- New vendor accounts appearing in WCFM Marketplace without corresponding approval records
- REST API access logs showing POST requests to /wp-json/app-builder/v1/register with role parameters
- Multiple vendor account registrations from the same IP address or within short time windows
Detection Strategies
- Monitor WordPress REST API logs for registration requests containing the role=wcfm_vendor parameter
- Implement alerting on new vendor accounts that lack corresponding entries in the WCFM vendor approval history
- Review wp_users and wp_usermeta tables for accounts with wcfm_vendor capabilities created through unexpected registration paths
- Configure web application firewall (WAF) rules to flag or block suspicious registration API requests
Monitoring Recommendations
- Enable detailed logging for the /wp-json/app-builder/v1/register endpoint to capture all registration attempts
- Set up periodic audits comparing WCFM Marketplace vendor approval logs against the current vendor user roster
- Implement real-time alerts for any new user accounts created with elevated roles through REST API endpoints
- Monitor for unauthorized product listings or store modifications that could indicate compromised vendor accounts
How to Mitigate CVE-2026-2375
Immediate Actions Required
- Update the App Builder plugin to a version newer than 5.5.10 that addresses this vulnerability
- Audit all existing vendor accounts to identify any created through the REST API registration endpoint without proper WCFM approval
- Temporarily disable the App Builder REST API registration endpoint if immediate patching is not possible
- Review and revoke privileges for any suspicious vendor accounts identified during the audit
Patch Information
Consult the Wordfence Vulnerability Analysis for the latest patch details and vendor advisories. The vulnerable code can be reviewed in the WordPress Plugin Code Reference for AuthTrails.php and RegisterAuth.php.
Workarounds
- Implement a web application firewall rule to block POST requests to /wp-json/app-builder/v1/register that contain wcfm_vendor in the role parameter
- Disable the App Builder plugin's REST API registration functionality entirely until a patch is available
- Use WordPress security plugins to restrict REST API access to authenticated users only
- If WCFM Marketplace vendor functionality is not required, remove the wcfm_vendor role from WordPress or restrict its capabilities
# Example .htaccess rule to block malicious registration attempts
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/app-builder/v1/register [NC]
RewriteCond %{QUERY_STRING} role=wcfm_vendor [NC,OR]
RewriteCond %{REQUEST_BODY} wcfm_vendor
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
