Build App Online plugin for WordPress allows unauthorized post modifications

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Build App Online plugin for WordPress allows unauthorized post modifications

CVE-2026-3651

Summary

The Build App Online plugin for WordPress has a security issue that allows attackers to modify posts without permission. This could cause legitimate authors to lose ownership of their posts or allow attackers to claim ownership of any post. To stay secure, update to the latest version of the plugin, 1.0.24 or later.

Original title

Original description

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.

nvd CVSS3.1 5.3

Vulnerability type

CWE-862 Missing Authorization

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026