CVE-2026-3651
Unauthorized Access in Build App Online Plugin Allows Post Ownership Hijack
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| build_app_online | plugin | to 1.0.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Build App Online plugin for WordPress has a vulnerability in all versions up to and including 1.0.23. This vulnerability arises because the plugin registers an AJAX action ('build-app-online-update-vendor-product') that can be accessed without proper authentication, capability checks, or nonce validation. Specifically, the update_vendor_product() function accepts a user-supplied post ID and updates the post_author field without verifying if the user has permission to modify that post.
As a result, unauthenticated attackers can modify the post_author of any post to 0, effectively orphaning the post from its legitimate author. Authenticated attackers can exploit this to claim ownership of any post by setting themselves as the author.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to change the ownership of posts on your WordPress site. Unauthenticated attackers can orphan posts by setting their author to 0, which may disrupt content management and accountability.
Authenticated attackers can claim ownership of any post by setting themselves as the author, potentially leading to unauthorized content modification, misinformation, or misuse of your site's content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the 'build-app-online-update-vendor-product' action endpoint. Specifically, look for requests to the wp_ajax_nopriv_build-app-online-update-vendor-product action that attempt to modify post_author fields without proper authentication.
Since the vulnerability involves unauthenticated access to an AJAX action, you can check your web server logs or use network monitoring tools to identify suspicious POST requests targeting this AJAX action.
- Use command-line tools like curl to simulate requests and test if the endpoint allows unauthorized modifications, for example: curl -X POST -d 'post_id=123' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=build-app-online-update-vendor-product
- Check your web server access logs for POST requests to admin-ajax.php with the action parameter set to 'build-app-online-update-vendor-product' coming from unauthenticated sources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Build App Online plugin to a version later than 1.0.23 where this vulnerability is fixed.
If an update is not immediately available, temporarily disable or remove the Build App Online plugin to prevent exploitation.
Additionally, restrict access to the vulnerable AJAX action by implementing authentication checks, capability verification, or nonce validation in the plugin code if you have the capability to patch it manually.