Login Sign Up

CVE-2024-49649

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper input validation in the Build App Online WordPress plugin. Attackers can potentially read sensitive files, execute code, or escalate privileges. All WordPress sites running Build App Online plugin versions up to 1.0.23 are affected.

💻 Affected Systems

Products:
  • Build App Online WordPress Plugin
Versions: n/a through 1.0.23
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin activated.

📦 What is this software?

Build App Online by Buildapp

View all CVEs affecting Build App Online →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete site takeover through remote code execution.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials), limited code execution, or privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions, web application firewalls, and restricted PHP functions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of vulnerable endpoints but is straightforward once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.24 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/build-app-online/vulnerability/wordpress-build-app-online-plugin-1-0-23-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Build App Online plugin. 4. Click 'Update Now' if update available. 5. If no update, manually download version 1.0.24+ from WordPress repository and replace files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate build-app-online

Web Application Firewall Rule

all

Block requests containing local file inclusion patterns.

ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,status:403,msg:'Local File Inclusion Attempt'

🧯 If You Can't Patch

  • Remove plugin files completely from server
  • Implement strict file permissions (chmod 644 for PHP files, 755 for directories)

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Build App Online for version number. If version is 1.0.23 or lower, you are vulnerable.

Check Version:

wp plugin get build-app-online --field=version

Verify Fix Applied:

Verify plugin version is 1.0.24 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with ../ patterns in parameters
  • Access to sensitive files like /etc/passwd, wp-config.php

Network Indicators:

  • Unusual POST/GET requests to plugin endpoints with file paths

SIEM Query:

source="web_logs" AND (uri="*build-app-online*" AND (param="*../*" OR param="*..\\*"))

📊 Metadata

CVE ID: CVE-2024-49649
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
EPSS Score: 0.9% exploit probability (75.2th percentile)
Published: January 7, 2025
Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49649, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)