Knowband Mobile App Builder WordPress Plugin Unauthenticated Arbitrary User Deletion Vulnerability
Vulnerability
A vulnerability exists in the Knowband Mobile App Builder WordPress plugin for WooCommerce, prior to version 3.0.0. The issue arises because the plugin's REST API lacks proper authorization for user deletion requests. This flaw enables unauthenticated attackers to delete any user arbitrarily.
Impact
Exploitation of this vulnerability allows for the unauthorized deletion of users, which could disrupt user accounts and associated data.
Reproduction
To reproduce this vulnerability, send a POST request to the WordPress site's REST API endpoint for user deletion, specifically targeting the Knowband Mobile App Builder for WooCommerce plugin. Include the email address of a valid user account in the request data. This action can be performed without authentication, leading to the deletion of the specified user.
Remediation
Users are advised to update the Knowband Mobile App Builder WordPress plugin to version 3.0.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.