CVE-2026-7638

Name of the Vulnerable Software and Affected Versions App Builder – Create Native Android & iOS Apps On The Flight versions prior to 5.6.1

Description An Insecure Direct Object Reference (IDOR) exists due to missing authorization validation in the upload avatar() function. The /wp-json/app-builder/v1/upload-avatar endpoint accepts an attacker-controlled user id parameter from the POST request body and updates user meta without verifying if the authenticated requester has permission to modify the target account. This allows authenticated attackers with Subscriber-level access or higher to overwrite the profile avatar of any user, including administrators.

Recommendations Update to a version later than 5.6.0. As a temporary workaround, restrict access to the /wp-json/app-builder/v1/upload-avatar endpoint or disable the upload avatar() function until the update is applied.