Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
The vulnerability results from improper control of the file name passed to include/require instructions in PHP code (CWE-98, CWE-829). An attacker can manipulate the input parameter in such a way as to force the application to include and execute a file located on the server, for example log files, configuration files, or other resources available in the file system. The attack does not require authentication or user interaction and can be carried out remotely over the network.
An attacker can read sensitive files from the server (e.g., configuration data, passwords), and under favorable conditions, lead to the execution of malicious code, which may result in complete server takeover.
The Build App Online plugin should be updated to a version higher than 1.0.23. Details regarding available patches can be found in the vendor's references and in the Patchstack database.
The WordPress Build App Online plugin by hakeemnaal in versions from initial availability through 1.0.23 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBuildapp Build App Online
APPBuildapp≤ 1.0.23
Related vulnerabilities
Auth Bypass i privilege escalation w wtyczce Build App Online dla WordPress
The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mecha...
Improper Privilege Management vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This ...
Cross-Site Request Forgery (CSRF) vulnerability in hakeemnala Build App Online build-app-online allows Cross S...