What is CVE -2026-27067?

CVE-2026-27067 is a high-severity vulnerability in the Mobile App Editor – WordPress to Android App Builder plugin. It allows authenticated users with Editor-level access or higher to upload arbitrary files due to insufficient file type validation.

How does this vulnerability work?

The vulnerability arises from the lack of proper validation for file types uploaded through the plugin. This allows attackers to bypass restrictions and upload potentially malicious files to the server, which could lead to remote code execution.

Who is affected by this vulnerability?

Any WordPress site using the Mobile App Editor plugin version 1.3.1 or earlier is at risk. Specifically, users with Editor-level permissions or higher can exploit this vulnerability.

How can I check if my site is affected?

To check if your site is affected, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Mobile App Editor plugin. Verify that the version is 1.3.1 or lower.

How can I mitigate the risk associated with this vulnerability?

To mitigate the risk, you should immediately disable the Mobile App Editor plugin until a patch is available. Additionally, review user permissions to limit access to Editor-level users and above.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to the affected systems. It is advisable to treat this vulnerability with urgency.

What are the potential impacts of this vulnerability?

The potential impacts include data theft, privilege escalation, and complete site compromise. Exploitation could allow attackers to execute arbitrary code on the server.

What is a proof of concept in relation to this vulnerability?

A proof of concept would typically demonstrate how an attacker could exploit the vulnerability to upload a malicious file. However, the specific proof of concept for this vulnerability is currently unknown due to missing metadata.

What should I do if I cannot find a patch for this vulnerability?

If no patch is available, consider removing the plugin entirely or replacing it with a more secure alternative. Regularly monitor for updates from the developer regarding the vulnerability.

How can I protect my site from similar vulnerabilities in the future?

To protect your site, keep all plugins and themes updated, regularly audit user permissions, and implement security measures such as firewalls and security plugins that can help detect and prevent file upload vulnerabilities.

Is there a timeline for when this vulnerability will be addressed?

There is currently no information on when or if the vulnerability will be addressed by the plugin developers. Site administrators should remain vigilant and consider alternative solutions.

What is the CWE classification for this vulnerability?

The vulnerability is classified under CWE-434, which refers to ‘Unrestricted Upload of File with Dangerous Type’. This classification highlights the failure to properly validate file types, leading to security risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-27067: Mobile App Editor – WordPress to Android App Builder <= 1.3.1 – Authenticated (Editor+) Arbitrary File Upload (mobile-app-editor)

CVE ID CVE-2026-27067

Plugin mobile-app-editor

Severity High (CVSS 7.2)

CWE 434

Vulnerable Version —

Patched Version —

Disclosed March 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27067 (metadata-based):
This vulnerability is a critical security flaw in the WordPress plugin ‘mobile-app-editor’. The vulnerability description and CWE classification are unavailable, preventing a definitive technical assessment. Without this core metadata, the specific vulnerability type, affected component, and severity cannot be determined.

Atomic Edge research cannot infer a root cause without a CWE classification or vulnerability description. The analysis lacks the necessary information to determine whether the flaw involves SQL injection, cross-site scripting, authentication bypass, or another security weakness. Any conclusion about the root cause would be speculative.

Exploitation methodology remains unknown. The missing metadata prevents identification of the attack vector, such as specific AJAX actions (`admin-ajax.php`), REST API endpoints (`/wp-json/`), or direct file access. Constructing a reliable proof-of-concept requires knowledge of the vulnerable endpoint and the parameters an attacker must manipulate.

Remediation guidance depends entirely on the vulnerability type. A proper fix would require the plugin developer to implement security controls appropriate to the flaw, such as input validation, output escaping, capability checks, or nonce verification. The absence of a patched version suggests the plugin may be abandoned, leaving sites permanently vulnerable.

The potential impact ranges from information disclosure to full site compromise, but the exact consequences are undefined. Exploitation could lead to data theft, privilege escalation, or remote code execution, depending on the nature of the underlying security defect. Site administrators should treat this plugin as high-risk until a security audit can be performed.

Frequently Asked Questions

What is CVE-2026-27067?
Overview of the vulnerability
CVE-2026-27067 is a high-severity vulnerability in the Mobile App Editor – WordPress to Android App Builder plugin. It allows authenticated users with Editor-level access or higher to upload arbitrary files due to insufficient file type validation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of proper validation for file types uploaded through the plugin. This allows attackers to bypass restrictions and upload potentially malicious files to the server, which could lead to remote code execution.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Mobile App Editor plugin version 1.3.1 or earlier is at risk. Specifically, users with Editor-level permissions or higher can exploit this vulnerability.
How can I check if my site is affected?
Verifying plugin version
To check if your site is affected, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Mobile App Editor plugin. Verify that the version is 1.3.1 or lower.
How can I mitigate the risk associated with this vulnerability?
Recommended actions
To mitigate the risk, you should immediately disable the Mobile App Editor plugin until a patch is available. Additionally, review user permissions to limit access to Editor-level users and above.
What does the CVSS score of 7.2 indicate?
Understanding severity levels
A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to the affected systems. It is advisable to treat this vulnerability with urgency.
What are the potential impacts of this vulnerability?
Consequences of exploitation
The potential impacts include data theft, privilege escalation, and complete site compromise. Exploitation could allow attackers to execute arbitrary code on the server.
What is a proof of concept in relation to this vulnerability?
Demonstrating the issue
A proof of concept would typically demonstrate how an attacker could exploit the vulnerability to upload a malicious file. However, the specific proof of concept for this vulnerability is currently unknown due to missing metadata.
What should I do if I cannot find a patch for this vulnerability?
Next steps for site administrators
If no patch is available, consider removing the plugin entirely or replacing it with a more secure alternative. Regularly monitor for updates from the developer regarding the vulnerability.
How can I protect my site from similar vulnerabilities in the future?
Best practices for security
To protect your site, keep all plugins and themes updated, regularly audit user permissions, and implement security measures such as firewalls and security plugins that can help detect and prevent file upload vulnerabilities.
Is there a timeline for when this vulnerability will be addressed?
Expectations for remediation
There is currently no information on when or if the vulnerability will be addressed by the plugin developers. Site administrators should remain vigilant and consider alternative solutions.
What is the CWE classification for this vulnerability?
Understanding the underlying issue
The vulnerability is classified under CWE-434, which refers to ‘Unrestricted Upload of File with Dangerous Type’. This classification highlights the failure to properly validate file types, leading to security risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations