Plattform
wordpress
Komponente
app-builder
Behoben in
5.5.11
CVE-2026-2375 describes a Privilege Escalation vulnerability discovered in the App Builder WordPress plugin, a tool for creating native Android and iOS apps. This flaw allows unauthenticated attackers to gain elevated privileges by registering an account with the wcfm_vendor role, effectively bypassing the intended vendor approval process. The vulnerability impacts versions from 0.0.0 up to and including 5.5.10, and a fix is expected in a future release.
An attacker exploiting this vulnerability can register a new WordPress user account and directly assign themselves the 'wcfm_vendor' role without undergoing the standard WCFM Marketplace vendor approval workflow. This grants them unauthorized access to vendor-specific functionalities and potentially sensitive data within the WordPress site. The attacker could then manipulate product listings, access order information, or perform other actions typically restricted to approved vendors. The blast radius extends to any WordPress site utilizing the vulnerable plugin, potentially impacting e-commerce operations and data integrity.
This vulnerability was publicly disclosed on 2026-03-21. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is rated as MEDIUM. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation makes it a potential target for opportunistic attackers.
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the App Builder plugin to a version containing the fix. If immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to prevent new 'wcfmvendor' role assignments. Implement stricter role-based access controls within the WCFM Marketplace plugin to limit the impact of a compromised vendor account. Review existing user accounts for suspicious 'wcfmvendor' assignments. After upgrading, verify the fix by attempting to register a new user and confirming that the 'wcfm_vendor' role is not directly assigned without approval.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability ausführlich und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2375 is a vulnerability in the App Builder WordPress plugin allowing unauthenticated attackers to register with the 'wcfm_vendor' role, bypassing vendor approval and potentially gaining elevated privileges. It affects versions 0.0.0–5.5.10.
If you are using the App Builder WordPress plugin in versions 0.0.0 through 5.5.10, you are potentially affected by this vulnerability. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the App Builder plugin. Until a patch is released, disable the plugin or manually review and approve all new user registrations.
While no public exploits are currently known, the ease of exploitation suggests a potential for rapid exploitation once a proof-of-concept is released. Monitor your systems closely.
Refer to the App Builder plugin developer's website or the WordPress plugin repository for official advisories and updates regarding CVE-2026-2375.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.