CVE-2025-13029

Vulnerability

Overview The Knowband Mobile App Builder plugin for WooCommerce, versions before 3.0.0, contains an authorization bypass vulnerability in its REST API endpoint used for user deletion. The plugin fails to verify permissions or require authentication when processing delete requests, meaning any unauthenticated visitor can trigger the deletion of arbitrary WordPress users.

Exploitation

Details An attacker can exploit this flaw by sending a crafted HTTP request to the vulnerable REST API endpoint without any authentication credentials [1]. No special network position or prior access is required — a remote, unauthenticated attacker simply needs to know or guess the target user ID. The endpoint directly processes the deletion without checking if the requester is an administrator or has any capability to manage users.

Impact

Successful exploitation allows the attacker to delete any registered user account on the WordPress site, including administrators [1]. This action can lead to complete site takeover if the sole administrator account is removed, loss of access for legitimate users, and serious disruption of site operations.

Mitigation

The vulnerability has been fixed in version 3.0.0 of the plugin [1]. Users are strongly advised to update immediately. No other workarounds are provided by the vendor. The plugin's changelog and the advisory from WPScan confirm the fix [1].