CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-49649

CVSS 9.8v3.1pub. 2025-01-07upd. 2026-04-23

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.

🤖 AI Analysis
How it works

The vulnerability results from improper control of the file name passed to include/require instructions in PHP code (CWE-98, CWE-829). An attacker can manipulate the input parameter in such a way as to force the application to include and execute a file located on the server, for example log files, configuration files, or other resources available in the file system. The attack does not require authentication or user interaction and can be carried out remotely over the network.

Impact

An attacker can read sensitive files from the server (e.g., configuration data, passwords), and under favorable conditions, lead to the execution of malicious code, which may result in complete server takeover.

Mitigation & patch

The Build App Online plugin should be updated to a version higher than 1.0.23. Details regarding available patches can be found in the vendor's references and in the Patchstack database.

Who is affected

The WordPress Build App Online plugin by hakeemnaal in versions from initial availability through 1.0.23 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Buildapp Build App Online

    APP
    Buildapp
    ≤ 1.0.23
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-51478CRITICAL9.8PL ✓ten sam produkt

Auth Bypass i privilege escalation w wtyczce Build App Online dla WordPress

CVE-2023-7264HIGH8.1ten sam produkt

The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mecha...

CVE-2023-51479HIGH8.8ten sam produkt

Improper Privilege Management vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This ...

CVE-2024-53751MEDIUM5.4ten sam produkt

Cross-Site Request Forgery (CSRF) vulnerability in hakeemnala Build App Online build-app-online allows Cross S...