📄 Description (English)
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
🤖 AI Executive Summary
The App Builder WordPress plugin (versions ≤5.5.10) contains a critical privilege escalation vulnerability allowing unauthenticated attackers to register accounts with vendor-level privileges by bypassing WCFM Marketplace's approval workflow. Attackers can exploit the REST API endpoint to gain immediate access to product management, order processing, and store administration capabilities without proper authorization. This vulnerability poses significant risk to e-commerce platforms operating in Saudi Arabia, particularly those using WCFM for multi-vendor marketplaces.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 12, 2026 09:53
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi e-commerce sector, particularly affecting: (1) Multi-vendor marketplace platforms using WCFM (Noon, Zando, local B2C platforms), (2) SME retailers and small businesses operating on WordPress-based marketplaces, (3) Payment processing systems integrated with vendor accounts (ARAMCO supplier networks, government procurement platforms), (4) Telecom sector e-commerce operations (STC, Mobily online stores). Attackers could fraudulently register as vendors, access customer orders, manipulate product listings, process refunds, and potentially exfiltrate payment data. Impact extends to SAMA-regulated payment systems if integrated with affected platforms.
🏢 Affected Saudi Sectors
E-commerce and Retail
Banking and Financial Services
Government and Public Sector
Telecommunications
Healthcare
Energy and Utilities
Logistics and Supply Chain
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts: Unauthorized account creation with elevated privileges
T1548 - Abuse Elevation Control Mechanism: Privilege escalation via role assignment bypass
T1190 - Exploit Public-Facing Application: REST API endpoint exploitation
T1566 - Phishing: Potential for vendor account takeover leading to fraud
T1087 - Account Discovery: Enumeration of vendor accounts and permissions
T1098 - Account Manipulation: Unauthorized role and permission modifications
T1199 - Trusted Relationship: Exploitation of WCFM integration trust
T1021 - Remote Services: Unauthorized access to vendor management interfaces
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the App Builder plugin immediately or restrict REST API access to `/wp-json/app-builder/v1/register` endpoint via .htaccess or WAF rules
2. Audit all user accounts created in the past 30 days, particularly those with `wcfm_vendor` role assigned without proper approval workflow
3. Review vendor transaction logs and order access patterns for suspicious activity
4. Reset passwords for all vendor accounts and enforce MFA
PATCHING GUIDANCE:
1. Contact plugin developer for security patch or upgrade to version >5.5.10 when available
2. If patch unavailable, implement custom code to remove `wcfm_vendor` from the whitelist in `verify_role()` function
3. Modify REST endpoint to require WCFM vendor approval before role assignment
COMPENSATING CONTROLS:
1. Implement WAF rule: Block POST requests to `/wp-json/app-builder/v1/register` with `role=wcfm_vendor` parameter
2. Restrict REST API access to authenticated users only via `rest_authentication_errors` filter
3. Implement IP whitelisting for vendor registration endpoints
4. Enable WordPress security logging for user registration and role changes
5. Deploy SIEM monitoring for unusual vendor account creation patterns
DETECTION RULES:
1. Alert on POST requests to `/wp-json/app-builder/v1/register` containing `role` parameter
2. Monitor for `wcfm_vendor` role assignments without corresponding WCFM approval records
3. Track failed WCFM vendor approval attempts followed by successful REST API registrations
4. Flag vendor accounts created outside business hours or from non-Saudi IP ranges
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل مكون App Builder فوراً أو تقييد وصول REST API إلى نقطة النهاية `/wp-json/app-builder/v1/register` عبر .htaccess أو قواعد WAF
2. تدقيق جميع حسابات المستخدمين التي تم إنشاؤها في آخر 30 يوماً، خاصة تلك التي تم تعيين دور `wcfm_vendor` لها دون سير عمل موافقة مناسب
3. مراجعة سجلات معاملات البائع وأنماط وصول الطلبات للنشاط المريب
4. إعادة تعيين كلمات المرور لجميع حسابات البائعين وفرض المصادقة متعددة العوامل
إرشادات التصحيح:
1. الاتصال بمطور المكون للحصول على تصحيح أمني أو الترقية إلى إصدار >5.5.10 عند توفره
2. إذا لم يكن التصحيح متاحاً، قم بتنفيذ كود مخصص لإزالة `wcfm_vendor` من قائمة المسموح في دالة `verify_role()`
3. تعديل نقطة النهاية لتتطلب موافقة بائع WCFM قبل تعيين الدور
الضوابط التعويضية:
1. تنفيذ قاعدة WAF: حظر طلبات POST إلى `/wp-json/app-builder/v1/register` مع معامل `role=wcfm_vendor`
2. تقييد وصول REST API للمستخدمين المصرح لهم فقط عبر مرشح `rest_authentication_errors`
3. تنفيذ القائمة البيضاء للعناوين IP لنقاط نهاية تسجيل البائع
4. تفعيل تسجيل أمان WordPress لتسجيل المستخدمين وتغييرات الأدوار
5. نشر مراقبة SIEM لأنماط إنشاء حسابات البائعين غير العادية
قواعد الكشف:
1. تنبيه على طلبات POST إلى `/wp-json/app-builder/v1/register` تحتوي على معامل `role`
2. مراقبة تعيينات دور `wcfm_vendor` دون سجلات موافقة WCFM المقابلة
3. تتبع محاولات الموافقة على بائع WCFM الفاشلة متبوعة بتسجيلات REST API الناجحة
4. وضع علامة على حسابات البائعين التي تم إنشاؤها خارج ساعات العمل أو من نطاقات IP غير السعودية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - User Access Control: Unauthorized privilege escalation violates access control policies
ECC 2024 A.5.1.2 - User Registration and De-registration: Bypassing vendor approval workflow violates registration procedures
ECC 2024 A.5.2.1 - User Access Rights: Improper role assignment without authorization
ECC 2024 A.5.3.1 - Password Management: Unauthenticated access bypasses authentication requirements
ECC 2024 A.7.1.1 - Information Security Policies and Procedures: Inadequate API endpoint security
🔵 SAMA CSF
SAMA CSF ID.AM-1: Asset Management - Unauthorized vendor account creation affects asset inventory
SAMA CSF PR.AC-1: Access Control - Privilege escalation violates access control principles
SAMA CSF PR.AC-4: Access Control - Inadequate authentication and authorization mechanisms
SAMA CSF DE.CM-1: Detection and Analysis - Insufficient monitoring of unauthorized access attempts
SAMA CSF RS.MI-2: Response and Recovery - Incident response procedures for unauthorized vendor access
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1.1 - Policies for information security: Access control policy violations
ISO 27001:2022 A.5.2.1 - Information security responsibilities: User access management failures
ISO 27001:2022 A.5.3.1 - Segregation of duties: Inadequate role-based access control
ISO 27001:2022 A.8.2.1 - User registration and access provisioning: Unauthorized account creation
ISO 27001:2022 A.8.2.3 - Management of privileged access rights: Improper privilege assignment
ISO 27001:2022 A.8.3.1 - Password management: Weak authentication controls on API endpoints
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default security parameters: Insecure API endpoint configuration
PCI DSS 6.5.10 - Broken authentication: Unauthenticated access to sensitive functions
PCI DSS 7.1 - Access control: Unauthorized privilege escalation affecting payment processing
PCI DSS 8.1.1 - User identification and authentication: Inadequate user registration controls
PCI DSS 8.2.3 - User password management: Weak authentication on vendor registration
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a...
security@wordfence.com