What the vulnerability does
01Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
Explanation of Vulnerability in Simple Terms
02Summary
App Builder versions up to 5.5.10 contain a privilege management flaw that allows unauthenticated attackers to read and modify sensitive data over the network without user interaction. The vulnerability affects the app-building platform's core access controls, potentially exposing user data and application configurations. Administrators should update to a version newer than 5.5.10 as soon as possible.
What an attacker can do
03Attacker Capabilities
Read and modify sensitive data in the application without authentication.
Potential impact on your site
04Site Impact
User data and app configurations may be exposed or altered by remote attackers without warning or authentication.
Conditions required to exploit
05Prerequisites
Network access to the affected App Builder instance; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated