PT-2024-15258 · WordPress · Build App Online

Ram

Published

2024-06-10

Updated

2024-06-11

CVE-2023-7264

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Build App Online plugin for WordPress versions up to, and including, 1.0.21

Description The issue is related to a weak password reset mechanism, allowing unauthenticated attackers to reset the password of arbitrary users by guessing a 4-digit numeric reset code. This enables account takeover.

Recommendations For versions up to, and including, 1.0.21, update to version 1.0.22 immediately to resolve the issue. As a temporary workaround, consider restricting access to the password reset mechanism until the update is applied.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

CVE-2023-7264

Affected Products

Build App Online

PT-2024-15258 · WordPress · Build App Online

CVE-2023-7264

Weakness Enumeration

Related Identifiers

Affected Products

References · 8