CVE-2026-3651

Name of the Vulnerable Software and Affected Versions Build App Online plugin for WordPress versions prior to 1.0.24

Description The Build App Online plugin for WordPress is susceptible to unauthorized access. The plugin registers the build-app-online-update-vendor-product API endpoint via wp ajax nopriv without sufficient security measures. Specifically, there are no authentication checks, capability verification, or nonce validation within the update vendor product() function. This function accepts a user-supplied post ID and uses wp update post() to modify the post author field without verifying user permissions. This allows unauthenticated attackers to modify the post author of any post to 0, effectively removing the original author. Authenticated attackers can also claim ownership of posts by changing the post author to their own user ID. The vulnerable parameter is post ID.

Recommendations Update the Build App Online plugin to version 1.0.24 or later.