Build App Online WordPress Plugin Missing Authorization Vulnerability in AJAX Action

Vulnerability

A vulnerability exists in the Build App Online plugin for WordPress, affecting all versions up to and including 1.0.23. The issue arises from the plugin registering the 'build-app-online-update-vendor-product' AJAX action without proper authentication, capability verification, or nonce validation. This allows unauthorized users to modify the post_author field of arbitrary posts. Unauthenticated attackers can set the post_author to 0, orphaning posts from their legitimate authors, while authenticated attackers can claim ownership of any post by assigning themselves as the author.

Impact

Exploitation of this vulnerability allows for unauthorized modification of post authorship, enabling attackers to orphan posts or falsely claim ownership of posts.

Added: Mar 21, 2026, 5:13 AM

Updated: Mar 21, 2026, 5:13 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

9.0

remediation

0.0

relevance

4.2

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

9.0

remediation

0.0

relevance

4.2

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Build App Online WordPress Plugin Missing Authorization Vulnerability in AJAX Action

Vulnerability

Impact

Affected Products

Build App Online

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating