Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
App Builder WordPress Plugin: Unauthenticated Vendor Account Creation
CVE-2026-2375
Summary
An attacker can create a vendor account on your website without permission, gaining access to sensitive areas of your store. This could allow them to manage products, orders, and other vendor functions. Update to the latest version of the App Builder plugin to fix this issue.
Original title
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_...
Original description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
nvd CVSS3.1
6.5
Vulnerability type
CWE-269
Improper Privilege Management
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026