cleantalk
Vulnerabilities and Security Researches

App Builder – Create Native Android & iOS Apps On The Flight, CVE-2024-9302

CVE, Research URL

CVE-2024-9302

Home page URL

Security reports for App Builder – Create Native Android & iOS Apps On The Flight

Application

App Builder – Create Native Android & iOS Apps On The Flight

Published on
Oct 25, 2024
Research Description
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This is due to the verify_otp_forgot_password() and update_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
Affected versions
Min -, max 5.3.8.
Status
vulnerable
Previous vulnerability researches
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder (CVE-2024-50477) , Oct 29, 2024
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder (CVE-2024-50528) , Nov 03, 2024
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder (CVE-2024-50527) , Nov 03, 2024
App Builder – Create Native Android & iOS Apps On The Flight (CVE-2024-9302) , Oct 26, 2024
App Builder – Create Native Android & iOS Apps On The Flight (CVE-2024-7651) , Aug 22, 2024
New vulnerability
WP Edit (CVE-2025-53253) , Jul 01, 2025
Accept Authorize.NET Payments Using Contact Form 7 (CVE-2025-53322) , Jul 01, 2025
Owl carousel responsive (CVE-2025-5590) , Jul 01, 2025
App Builder – Create Native Android & iOS Apps On The Flight (CVE-2025-49989) , Jul 01, 2025
Sitekit (CVE-2025-50047) , Jul 01, 2025