CVE-2023-7264

The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688	Product
https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688	Product
https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:buildapp:build_app_online:*:*:*:*:*:wordpress:*:*

History

05 Feb 2025, 16:29

Type	Values Removed	Values Added
First Time		Buildapp Buildapp build App Online
CPE	cpe:2.3:a:buildapp.online:build_app_online::::::wordpress::*	cpe:2.3:a:buildapp:build_app_online::::::wordpress::*

05 Feb 2025, 14:36

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688 -~~	() https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3688 - Product
References	~~() https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757 -~~	() https://plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.21/public/class-build-app-online-public.php#L3757 - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/f6047ae6-b1b4-4b31-aa12-560927e1040b?source=cve - Third Party Advisory
CPE		cpe:2.3:a:buildapp.online:build_app_online::::::wordpress::*
First Time		Buildapp.online build App Online Buildapp.online
CWE		CWE-640

Information

Published : 2024-06-11 04:15

Updated : 2025-02-05 16:29

NVD link : CVE-2023-7264

Mitre link : CVE-2023-7264

CVE.ORG link : CVE-2023-7264

JSON object : View

Products Affected

buildapp

build_app_online

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

8.1 /10