Auth bypass in Hakeemnala Build App Online
CVE-2026-3651
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_…
Vulnerability class: Broken Access Control
EPSS: 0.002 (39.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Hakeemnala Build App Online — versions 0
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/51564b26-0d7c-4499-9f5a-84f76…
- plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app…
- plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-bui…
- plugins.trac.wordpress.org/browser/build-app-online/trunk/admin/class-build-app…
- plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/admin/class-bui…
- plugins.trac.wordpress.org/browser/build-app-online/trunk/includes/class-build-…
- plugins.trac.wordpress.org/browser/build-app-online/tags/1.0.23/includes/class-…
Frequently asked questions
- What is CVE-2026-3651?
- CVE-2026-3651 is a medium-severity vulnerability in Hakeemnala Build App Online, classified under Missing Authorization. CVSS score: 5.3/10. Published 2026-03-21.
- How severe is CVE-2026-3651?
- Medium severity. CVSS v3 base score is 5.3 out of 10.