The vulnerability is a Cross‑Site Request Forgery flaw in the Build App Online plugin that enables an attacker to send forged requests from a victim’s browser. This can lead to unauthorized actions performed with the victim’s credentials, potentially compromising the site’s integrity and privacy. The weakness is identified as CWE‑352. No elevated privileges are required, but the attacker must convince a victim to visit a malicious site or load a malicious resource while authenticated to the target WordPress installation.

WordPress sites using the Build App Online plugin by hakeemnala, specifically versions up to and including 1.0.23, are affected. No earlier release is explicitly identified as vulnerable; the issue applies to all releases from the first available version through 1.0.23.

The CVSS score is 6.5, indicating a moderate risk level. The EPSS score of less than 1 % suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a victim’s browser making authenticated requests to the plugin’s state‑changing endpoints without valid CSRF tokens, as inferred from the description. Successful exploitation would allow an attacker to perform any administrative or user actions supported by the plugin without needing direct access to the site’s backend.