App Builder Insecure Direct Object Reference Vulnerability Allowing Arbitrary User Avatar Modification

A vulnerability exists in the App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress, specifically in versions through 5.6.0. The issue is an Insecure Direct Object Reference (IDOR) that arises from inadequate authorization checks in the 'upload_avatar()' function. This function accepts a 'user_id' parameter from the POST request body and uses it to update user metadata without verifying if the requester has the right to modify the specified account. As a result, authenticated attackers with Subscriber-level access or higher can change the profile avatar of any user, including administrators, by providing a target 'user_id' to the '/wp-json/app-builder/v1/upload-avatar' endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user avatars, potentially leading to impersonation or social engineering attacks, especially if an administrator's avatar is changed.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the '/wp-json/app-builder/v1/upload-avatar' endpoint. The request must include a 'user_id' parameter specifying the target user whose avatar is to be changed, along with an 'avatar' parameter containing the image file or URL of the new avatar. The absence of proper authorization checks allows the attacker to overwrite the avatar of any user on the site.