The vulnerability CVE-2026-2375 affects the WordPress plugin 'App Builder – Create Native Android & iOS Apps On The Flight' developed by appcheap, present in all versions up to and including 5.5.10. The root cause lies in improper privilege management (CWE-269) within the verify_role() function in AuthTrails.php. This function explicitly whitelists the 'wcfm_vendor' role alongside 'subscriber' and 'customer' roles and assigns it directly to new users via the wp_insert_user() function. Critically, this assignment bypasses the WCFM Marketplace's vendor approval workflow, which normally requires manual approval before granting vendor privileges. The vulnerability is exploitable through the plugin's REST API endpoint /wp-json/app-builder/v1/register by unauthenticated attackers who can supply the 'role' parameter with the value 'wcfm_vendor'. This results in immediate elevation to vendor-level privileges, granting capabilities such as product management, order access, and store management on WordPress sites where both the plugin and WCFM Marketplace are active. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or known exploits are currently reported, but the vulnerability poses a significant risk due to the ease of exploitation and the sensitive privileges granted.

This vulnerability allows unauthenticated attackers to escalate privileges to vendor-level on affected WordPress sites, bypassing normal approval processes. The impact includes unauthorized access to sensitive business functions such as product creation and modification, order viewing and management, and store configuration. This can lead to data leakage of customer orders, manipulation or sabotage of product listings, fraudulent transactions, and potential disruption of e-commerce operations. Organizations relying on the App Builder plugin in conjunction with WCFM Marketplace risk compromise of their online store integrity and confidentiality. The breach of vendor privileges could also facilitate further attacks, including supply chain manipulation or insertion of malicious content. Given the widespread use of WordPress and e-commerce plugins, the scope of affected systems could be substantial, especially for businesses using these specific plugins. The vulnerability does not impact system availability directly but compromises integrity and confidentiality significantly.

Organizations should immediately audit their WordPress installations for the presence of the App Builder – Create Native Android & iOS Apps On The Flight plugin and WCFM Marketplace. Until an official patch is released, administrators should implement the following mitigations: 1) Disable or restrict access to the /wp-json/app-builder/v1/register REST API endpoint, especially for unauthenticated users, using web application firewalls or custom rules. 2) Implement server-side validation to reject any registration requests that attempt to assign the 'wcfm_vendor' role without proper approval workflows. 3) Monitor user registrations for suspicious role assignments and revoke unauthorized vendor accounts promptly. 4) Limit plugin usage to trusted environments or consider temporarily disabling the plugin if vendor functionality is not critical. 5) Stay updated with vendor advisories for patches and apply them immediately upon release. 6) Employ WordPress security plugins that can detect and block privilege escalation attempts. 7) Conduct regular security audits and review user roles to ensure no unauthorized privilege escalations have occurred.