CVE-2026-3651 in Build App Online Plugin
Summary
by MITRE • 03/21/2026
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified in CVE-2026-3651 affects the Build App Online plugin for WordPress, presenting a critical authorization flaw that undermines the platform's content management security model. This vulnerability exists in all versions up to and including 1.0.23, making it a widespread concern for WordPress administrators who have deployed this plugin. The flaw stems from improper handling of AJAX requests within the plugin's architecture, specifically in how it processes the 'build-app-online-update-vendor-product' action. The vulnerability directly relates to CWE-863, which addresses incorrect authorization issues where an attacker can perform actions they should not be permitted to execute.
The technical implementation of this vulnerability occurs through the registration of the AJAX action using the wp_ajax_nopriv_ hook prefix, which is intended for unauthenticated requests but lacks the necessary security checks. When the update_vendor_product() function is invoked, it accepts a user-supplied post ID parameter and directly passes it to wp_update_post() without validating the current user's permissions or capabilities. This absence of validation creates a path for privilege escalation where attackers can manipulate the post_author field of any WordPress post. The lack of nonce validation further compounds the issue, eliminating the ability to verify the authenticity of the request and making it susceptible to cross-site request forgery attacks.
The operational impact of this vulnerability is severe and multifaceted for WordPress site owners and administrators. Unauthenticated attackers can exploit this flaw to orphan posts from their legitimate authors by setting the post_author field to 0, effectively removing the original creator's ownership and potentially causing data integrity issues. Authenticated attackers with any user level can leverage this vulnerability to claim ownership of any post on the site, which can lead to content manipulation, reputation damage, and potential data exfiltration. This vulnerability directly maps to ATT&CK technique T1078.004, which covers valid accounts with compromised credentials, as it allows unauthorized users to assume the identity of legitimate authors. The impact extends beyond simple content modification, as it can disrupt site functionality, compromise user trust, and potentially provide attackers with additional attack vectors through the compromised authorship relationships.
Mitigation strategies for CVE-2026-3651 should prioritize immediate action to address the core authorization flaw. The most effective approach involves implementing proper capability checks within the update_vendor_product() function to verify that the current user has appropriate permissions to modify the specified post before executing wp_update_post(). This includes validating that users have the 'edit_post' capability for the target post and implementing nonce verification to ensure requests originate from legitimate sources. Administrators should also consider updating to the latest version of the plugin once a patched release becomes available, as this vulnerability is likely to be addressed through proper authentication enforcement. Additionally, implementing rate limiting on AJAX endpoints and monitoring for unusual post modification patterns can help detect exploitation attempts. The remediation process should align with security best practices outlined in the WordPress Security Hardening guidelines, particularly regarding the proper handling of user input and the implementation of defense-in-depth measures. Network-based solutions such as web application firewalls can provide additional protection by blocking suspicious AJAX requests, though these should complement rather than replace proper code-level fixes.