The Build App Online plugin for WordPress suffers from a missing authorization vulnerability identified as CVE-2026-3651. This issue exists in all versions up to and including 1.0.23. The root cause is the registration of the AJAX action 'build-app-online-update-vendor-product' via the wp_ajax_nopriv_ hook, which allows unauthenticated users to invoke the update_vendor_product() function. This function accepts a post ID from the request and calls wp_update_post() to modify the post_author field without verifying if the requester has the necessary permissions to modify that post. The lack of authentication checks, capability verification, and nonce validation means that unauthenticated attackers can change the author of any post to 0, effectively orphaning the post and removing legitimate author ownership. Authenticated attackers can exploit this to claim ownership of posts by setting themselves as the author. This vulnerability falls under CWE-862 (Missing Authorization). While it does not impact confidentiality or availability, it compromises data integrity by allowing unauthorized modification of post ownership. No patches or mitigations are currently linked, and no known exploits have been reported in the wild. The CVSS v3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact.

This vulnerability allows attackers to modify the post_author field of arbitrary WordPress posts without authorization. For unauthenticated attackers, this can orphan posts by setting the author to 0, potentially disrupting content management, auditing, and ownership tracking. For authenticated attackers, it enables privilege escalation by claiming ownership of posts they do not own, which can lead to unauthorized content editing, deletion, or publication under their identity. This undermines content integrity and trustworthiness on affected WordPress sites. Organizations relying on the Build App Online plugin risk content tampering, loss of author accountability, and potential misuse of content management workflows. Although it does not directly expose sensitive data or cause denial of service, the integrity compromise can have reputational and operational impacts, especially for sites with multiple authors or strict content governance. The ease of exploitation (no authentication required for some attacks) increases risk, particularly for public-facing WordPress sites using this plugin.

Until an official patch is released, organizations should implement the following mitigations: 1) Disable or remove the Build App Online plugin if it is not essential. 2) Restrict access to the AJAX endpoint 'build-app-online-update-vendor-product' by configuring web application firewalls (WAFs) or server rules to block unauthenticated requests to this action. 3) Implement custom code or hooks to validate user capabilities before allowing post_author modifications via this plugin’s AJAX calls. 4) Monitor WordPress logs for suspicious calls to this AJAX action and unexpected changes in post authorship. 5) Limit plugin usage to trusted users and environments with strict access controls. 6) Once available, promptly apply official patches or updates from the plugin vendor. 7) Conduct regular audits of post authorship to detect unauthorized changes. These steps go beyond generic advice by focusing on controlling access to the vulnerable AJAX action and monitoring for exploitation attempts.