CVE-2024-49649

Critical

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0457 89.3th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.

Security Summary

CVE-2024-49649 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Build App Online WordPress plugin by hakeemnala. This issue affects all versions of the plugin from unknown initial release through 1.0.23 and is associated with CWEs-98 and CWE-829.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by unauthenticated attackers over the network with low complexity and no user interaction. Exploitation allows attackers to include local files, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as unauthorized access to sensitive data or remote code execution on the affected WordPress site.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/build-app-online/vulnerability/wordpress-build-app-online-plugin-1-0-23-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-07.

Details

CWE(s): CWE-98CWE-829

Affected Products

buildapp

build app online

≤ 1.0.23

References

https://patchstack.com/database/Wordpress/Plugin/build-app-online/vulnerability/wordpress-build-app-online-plugin-1-0-23-local-file-inclusion-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com