CVE-2026-7638

EPSS 0.31%
Veröffentlicht 02.05.2026 03:36:42
Zuletzt bearbeitet 05.05.2026 19:17:22
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference  in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.

Mögliche Gegenmaßnahme

App Builder – Create Native Android & iOS Apps On The Flight: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 14

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerappcheap

≫

Produkt App Builder – Create Native Android & iOS Apps On The Flight

Default Statusunaffected

Version <= 5.6.0

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt App Builder – Create Native Android & iOS Apps On The Flight

Version *-5.6.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.22

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve

https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80

https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161

https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161

https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33

https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-7638

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-7638

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-7638

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-7638