Description
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Post Author Modification
Action: Apply Patch
AI Analysis

Impact

The Build App Online plugin for WordPress registers an AJAX endpoint named 'build-app-online-update-vendor-product' that accepts a post ID from the requester and invokes wp_update_post() to change the post_author field. Because the endpoint is registered with wp_ajax_nopriv and lacks a capability check, nonce verification, or any authentication step, an attacker can send the request without logging in. This allows an unauthenticated user to set the author of any post to themselves or to zero, effectively orphaning the post. The core weakness is a missing authorization check (CWE‑862), resulting in potential defacement, content hijacking, and denial of rightful ownership.

Affected Systems

The vulnerable code resides in the Build App Online plugin developed by hakeemnala. All releases up to and including version 1.0.23 contain the insecure AJAX action. Any WordPress installation that has this plugin installed and is running a version ≤1.0.23 is affected. The issue affects the administrative area of the site, but the attack vector operates through a publicly accessible AJAX route.

Risk and Exploitability

The severity score of 5.3 indicates moderate risk. The absence of authentication checks makes the vulnerability trivial to exploit from any network that can reach the WordPress site. Because the EPSS score is not available, the likelihood of exploitation is unclear, but the straightforward attack path and lack of safeguards suggest a high probability of real‑world abuse. The vulnerability is not listed in the CISA KEV catalog; however, sites running the affected plugin remain at risk of content takeover or defacement until the issue is remediated.

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Build App Online plugin to the latest version, which removes the unauthenticated AJAX action and verifies user capabilities before updating post authors.
  • If an update is not immediately possible, edit the plugin code to remove the 'build-app-online-update-vendor-product' hook from the wp_ajax_nopriv list, or use a security plugin or .htaccess rule to block unauthenticated access to that endpoint.
  • After applying the fix, verify that no unauthenticated requests can change post authors, either by testing with a non‑logged‑in user or by running a security scan that looks for writable post_author fields.

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hakeemnala
Hakeemnala build App Online
Wordpress
Wordpress wordpress
Vendors & Products Hakeemnala
Hakeemnala build App Online
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.
Title Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Hakeemnala Build App Online
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:31.799Z

Reserved: 2026-03-06T16:26:41.553Z

Link: CVE-2026-3651

cve-icon Vulnrichment

Updated: 2026-03-23T15:17:55.816Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:34.023

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-3651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:11Z

Weaknesses