CVE-2026-3651
Received Received - Intake
Unauthorized Access in Build App Online Plugin Allows Post Ownership Hijack

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3651
EUVD
EUVD-2026-13984
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
build_app_online plugin to 1.0.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Build App Online plugin for WordPress has a vulnerability in all versions up to and including 1.0.23. This vulnerability arises because the plugin registers an AJAX action ('build-app-online-update-vendor-product') that can be accessed without proper authentication, capability checks, or nonce validation. Specifically, the update_vendor_product() function accepts a user-supplied post ID and updates the post_author field without verifying if the user has permission to modify that post.

As a result, unauthenticated attackers can modify the post_author of any post to 0, effectively orphaning the post from its legitimate author. Authenticated attackers can exploit this to claim ownership of any post by setting themselves as the author.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to change the ownership of posts on your WordPress site. Unauthenticated attackers can orphan posts by setting their author to 0, which may disrupt content management and accountability.

Authenticated attackers can claim ownership of any post by setting themselves as the author, potentially leading to unauthorized content modification, misinformation, or misuse of your site's content.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the 'build-app-online-update-vendor-product' action endpoint. Specifically, look for requests to the wp_ajax_nopriv_build-app-online-update-vendor-product action that attempt to modify post_author fields without proper authentication.

Since the vulnerability involves unauthenticated access to an AJAX action, you can check your web server logs or use network monitoring tools to identify suspicious POST requests targeting this AJAX action.

  • Use command-line tools like curl to simulate requests and test if the endpoint allows unauthorized modifications, for example: curl -X POST -d 'post_id=123' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=build-app-online-update-vendor-product
  • Check your web server access logs for POST requests to admin-ajax.php with the action parameter set to 'build-app-online-update-vendor-product' coming from unauthenticated sources.
Mitigation Strategies

The immediate mitigation step is to update the Build App Online plugin to a version later than 1.0.23 where this vulnerability is fixed.

If an update is not immediately available, temporarily disable or remove the Build App Online plugin to prevent exploitation.

Additionally, restrict access to the vulnerable AJAX action by implementing authentication checks, capability verification, or nonce validation in the plugin code if you have the capability to patch it manually.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart