Platform
wordpress
Component
app-builder
Fixed in
5.5.11
CVE-2026-2375 describes a Privilege Escalation vulnerability discovered in the App Builder WordPress plugin, a tool for creating native Android and iOS apps. This flaw allows unauthenticated attackers to gain elevated privileges by registering an account with the wcfm_vendor role, effectively bypassing the intended vendor approval process. The vulnerability impacts versions from 0.0.0 up to and including 5.5.10, and a fix is expected in a future release.
The primary impact of CVE-2026-2375 is the ability for an attacker to gain unauthorized access and control within a WordPress site utilizing the App Builder plugin. By registering with the wcfm_vendor role, an attacker could potentially manipulate product listings, access sensitive vendor data, or even modify site configurations depending on the permissions associated with that role. This could lead to data breaches, financial losses, and reputational damage. The lack of vendor approval integration means that the plugin does not properly validate the legitimacy of new vendor accounts, creating a direct pathway for malicious actors.
CVE-2026-2375 was published on March 21, 2026. While no public exploits are currently known, the ease of exploitation (requiring only account registration) suggests a potential for rapid exploitation once a proof-of-concept is released. The vulnerability's impact on WordPress sites using the App Builder plugin warrants a high level of attention. Severity is pending further evaluation, but the potential for privilege escalation makes it a significant risk.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2026-2375 is to upgrade to a patched version of the App Builder plugin as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, administrators can manually review and approve all new user registrations, specifically scrutinizing those requesting the wcfm_vendor role. Implementing a Web Application Firewall (WAF) with rules to block suspicious registration attempts targeting the /wp-json/app-bu endpoint could also provide an additional layer of defense. Monitor WordPress logs for unusual user registration patterns and role assignments.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2375 is a vulnerability in the App Builder WordPress plugin allowing unauthenticated attackers to register with the 'wcfm_vendor' role, bypassing vendor approval and potentially gaining elevated privileges. It affects versions 0.0.0–5.5.10.
If you are using the App Builder WordPress plugin in versions 0.0.0 through 5.5.10, you are potentially affected by this vulnerability. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the App Builder plugin. Until a patch is released, disable the plugin or manually review and approve all new user registrations.
While no public exploits are currently known, the ease of exploitation suggests a potential for rapid exploitation once a proof-of-concept is released. Monitor your systems closely.
Refer to the App Builder plugin developer's website or the WordPress plugin repository for official advisories and updates regarding CVE-2026-2375.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.