WordPress App Builder Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the WordPress App Builder plugin, specifically in the 'Create Native Android & iOS Apps On The Flight' version 5.5.10 and prior. The issue arises because the 'verify_role()' function in 'AuthTrails.php' improperly whitelists the 'wcfm_vendor' role, allowing unauthenticated users to register as vendors through the '/wp-json/app-builder/v1/register' REST API endpoint. This bypasses the WCFM Marketplace vendor approval process, granting immediate access to vendor-level privileges such as product and store management on affected sites.

Impact

Exploitation of this vulnerability allows unauthenticated users to gain vendor-level privileges on WordPress sites using the WCFM Marketplace, enabling them to manage products, access orders, and oversee store operations.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/app-builder/v1/register' REST API endpoint. Include the 'role' parameter set to 'wcfm_vendor'. This will register a new user with vendor privileges, bypassing the WCFM approval process.