WordPress Plugin Vulnerabilities

Build App Online < 1.0.22 - Unauthenticated Account Takeover via Weak Password Reset Mechanism

Description

The plugin is vulnerable to account takeover due to a weak password reset mechanism, allowing unauthenticated attackers to reset the password of arbitrary users by guessing an 8-digit numeric reset code.

Affects Plugins

Plugin icon
build-app-online
Fixed in 1.0.22

References

CVE
CVE-2023-51478
URL
https://patchstack.com/database/vulnerability/build-app-online/wordpress-build-app-online-plugin-1-0-19-unauthenticated-account-takeover-vulnerability

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
48539129-664b-409f-ac48-7d4670df2b41

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-08-09 (about 1 year ago)

Other

Published
Title
Published
2019-07-10
Title
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update
Published
2022-07-11
Title
YOP Poll < 6.4.3 - IP Spoofing
Published
2023-03-06
Title
Formidable Forms < 6.1 - IP Spoofing
Published
2014-09-17
Title
WordPress Mobile Pack 1.0.8223 - 2.0.1 Password Protected Post Disclosure
Published
2017-01-11
Title
WordPress 4.7 - User Information Disclosure via REST API