CVE-2026-2375 MEDIUM

CVE-2026-2375: App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter

Vendor Appcheap
Product App Builder – Create Native Android & iOS Apps On The Flight
Weakness CWE-269
Published March 21, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.

Explanation of Vulnerability in Simple Terms

02Summary

App Builder versions up to 5.5.10 contain a privilege management flaw that allows unauthenticated attackers to read and modify sensitive data over the network without user interaction. The vulnerability affects the app-building platform's core access controls, potentially exposing user data and application configurations. Administrators should update to a version newer than 5.5.10 as soon as possible.

What an attacker can do

03Attacker Capabilities

Read and modify sensitive data in the application without authentication.

Potential impact on your site

04Site Impact

User data and app configurations may be exposed or altered by remote attackers without warning or authentication.

Conditions required to exploit

05Prerequisites

Network access to the affected App Builder instance; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 21, 2026 CVE published
April 8, 2026 Record updated