CVE-2024-4186

Name of the Vulnerable Software and Affected Versions Build App Online plugin for WordPress versions up to, and including, 3.0.5

Description The issue is due to the eb user email verification key default value being empty and the missing not empty check in the eb user email verify function. This allows unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the user id. The exploitation of this issue is conditional on the 'Email Verification' setting being enabled.

Recommendations For versions up to, and including, 3.0.5, update to a version that fixes the empty default value of eb user email verification key and adds a not empty check in the eb user email verify function. As a temporary workaround, consider disabling the 'Email Verification' setting until a patch is available. Restrict access to user ids to minimize the risk of exploitation.