CVE-2026-3651 (GCVE-0-2026-3651)
Vulnerability from cvelistv5 – Published: 2026-03-21 03:26 – Updated: 2026-04-08 16:52
VLAI?
Title
Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action
Summary
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hakeemnala | Build App Online |
Affected:
0 , ≤ 1.0.23
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:17:54.772965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:54:48.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Build App Online",
"vendor": "hakeemnala",
"versions": [
{
"lessThanOrEqual": "1.0.23",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Sretawat Na Ayutaya"
},
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Chaipha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the \u0027build-app-online-update-vendor-product\u0027 AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:31.799Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233"
},
{
"url": "https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T15:10:32.000Z",
"value": "Disclosed"
}
],
"title": "Build App Online \u003c= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via \u0027build-app-online-update-vendor-product\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3651",
"datePublished": "2026-03-21T03:26:47.030Z",
"dateReserved": "2026-03-06T16:26:41.553Z",
"dateUpdated": "2026-04-08T16:52:31.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-3651",
"date": "2026-05-09",
"epss": "0.00169",
"percentile": "0.37768"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-3651\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-21T04:17:34.023\",\"lastModified\":\"2026-04-24T16:27:44.277\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the \u0027build-app-online-update-vendor-product\u0027 AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.\"},{\"lang\":\"es\",\"value\":\"El plugin Build App Online para WordPress es vulnerable a acceso no autorizado en todas las versiones hasta la 1.0.23, inclusive. Esto se debe a que el plugin registra la acci\u00f3n AJAX \u0027build-app-online-update-vendor-product\u0027 a trav\u00e9s de wp_ajax_nopriv_ sin las comprobaciones de autenticaci\u00f3n adecuadas, verificaci\u00f3n de capacidades o validaci\u00f3n de nonce en la funci\u00f3n update_vendor_product(). La funci\u00f3n acepta un ID de publicaci\u00f3n proporcionado por el usuario de la solicitud y llama a wp_update_post() para modificar el campo post_author sin validar si el usuario tiene permiso para modificar la publicaci\u00f3n especificada. Esto hace posible que atacantes no autenticados modifiquen el post_author de publicaciones arbitrarias a 0 (dejando las publicaciones hu\u00e9rfanas de sus autores leg\u00edtimos), o que atacantes autenticados reclamen la propiedad de cualquier publicaci\u00f3n al establecerse a s\u00ed mismos como el autor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3651\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T15:17:54.772965Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T15:17:55.816Z\"}}], \"cna\": {\"title\": \"Build App Online \u003c= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via \u0027build-app-online-update-vendor-product\u0027 AJAX Action\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronnachai Sretawat Na Ayutaya\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronnachai Chaipha\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"hakeemnala\", \"product\": \"Build App Online\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.0.23\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-20T15:10:32.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76c5a5e8a?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L565\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L565\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app-online-admin.php#L556\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-build-app-online-admin.php#L556\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-app-online.php#L233\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-build-app-online.php#L233\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the \u0027build-app-online-update-vendor-product\u0027 AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T16:52:31.799Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3651\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:52:31.799Z\", \"dateReserved\": \"2026-03-06T16:26:41.553Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-21T03:26:47.030Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…