Attack Vectors

CVE-2026-3651 affects the WordPress plugin Build App Online (slug: build-app-online) in versions <= 1.0.23 and is rated Medium severity (CVSS 5.3).

The primary attack path is remote and does not require a user account. An attacker can send requests to WordPress’s AJAX endpoint (admin-ajax) using the plugin’s build-app-online-update-vendor-product action, which is exposed to unauthenticated visitors. Because this can be triggered over the network with low complexity and no user interaction, it is a practical risk for internet-facing sites.

Security Weakness

The issue is a missing authorization control in the plugin’s handling of an unauthenticated AJAX action. In affected versions, the plugin registers build-app-online-update-vendor-product for non-logged-in users and processes it without proper authentication checks, capability verification, or nonce validation.

As described in the public advisory, the vulnerable function accepts a user-supplied post ID and then updates the post to modify the post_author field, without validating whether the requester is allowed to change that post. In business terms: an external party may be able to change who WordPress records as the author of specific content, even without logging in.

Technical or Business Impacts

The disclosed impact is primarily integrity related (CVSS indicates low integrity impact, with no confidentiality or availability impact noted). However, author changes can still create meaningful business risk: it can disrupt editorial workflows, misattribute ownership of content, complicate approvals and accountability, and interfere with compliance or audit requirements that rely on accurate change history and attribution.

For marketing and brand teams, unauthorized author modification can also create reputational and operational issues—content may appear to have been published or “owned” by the wrong person, leading to confusion in stakeholder communications, partner relationships, or internal reporting. It can also increase the time and cost needed to investigate “who changed what” during an incident response or compliance review.

Mitigation guidance (no known patch available): Given that no fix is currently listed, organizations should evaluate whether to uninstall and replace Build App Online based on risk tolerance. If removal is not immediately possible, consider short-term compensating controls such as tightening access to WordPress administrative endpoints, implementing WAF rules to block or rate-limit suspicious requests to the specific AJAX action, and monitoring for unexpected author changes on posts and key landing pages.

Similar Attacks: Authorization gaps that allow unauthenticated content changes have occurred before in the WordPress ecosystem, including CVE-2017-5487 (WordPress REST API content injection) and CVE-2021-29447 (WordPress XXE via media uploads), both of which show how public-facing endpoints can become high-value targets when access controls are incomplete.

Reference: CVE-2026-3651 and the advisory source at Wordfence Threat Intelligence.