CVE-2025-53249

Root

Cause The Build App Online plugin for WordPress (versions up to and including 1.0.23) contains a Cross-Site Request Forgery (CSRF) vulnerability. The issue lies in the plugin's failure to validate or include a nonce or other anti-CSRF token in sensitive state-changing requests, allowing attackers to craft malicious requests that appear legitimate to the server [1].

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in user with higher privileges (e.g., administrator) into performing an action such as clicking a crafted link, visiting a malicious page, or submitting a fraudulent form. No special privileges are required on the attacker's side beyond the ability to deliver a crafted request to the target user [1].

Impact

If successfully exploited, the attacker can force the victim user to execute unintended actions under their current authentication. This could lead to unauthorized changes in plugin settings, creation of new admin users, or modification of website content, depending on the actions exposed by the plugin [1].

Mitigation

The vulnerability tracker notes that exploitation is used in mass campaigns targeting thousands of websites. The immediate recommended action is to update the plugin to the latest patched version. If updating is not possible, users should seek assistance from their hosting provider or a web developer. The vulnerability affects all versions through 1.0.23; later versions should have the issue resolved [1].