Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High1
Medium3
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-06-17

CVE-2026-7638 - Ios Apps On The Flight Plugin

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the…

PLUGIN Ios Apps On The Flight

CVE-2026-7638

MEDIUM CVSS 5.3 2026-05-02
Open Full Technical Breakdown
Threat Entry Updated 2026-06-17

CVE-2026-2375 - Ios Apps On The Flight Plugin

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard…

PLUGIN Ios Apps On The Flight

CVE-2026-2375

MEDIUM CVSS 6.5 2026-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-05

CVE-2024-9302 - Ios Apps On The Flight Plugin

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to…

PLUGIN Ios Apps On The Flight

CVE-2024-9302

HIGH CVSS 8.1 2024-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-08-31

CVE-2024-7651 - Ios Apps On The Flight Plugin

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to limited SQL Injection via the ‘app-builder-search’ parameter in all versions up to, and including, 4.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ios Apps On The Flight

CVE-2024-7651

MEDIUM CVSS 5.6 2024-08-21
Open Full Technical Breakdown
Scroll to top