CVE-2024-49649: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2024-49649) was discovered in the Build App Online WordPress plugin affecting all versions up to and including 1.0.23. The vulnerability stems from improper control of filename for include/require statements in PHP programs. This security flaw was initially reported on October 31, 2024, and was publicly disclosed on January 6, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, specifically a PHP Remote File Inclusion vulnerability. It has received a Critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is tracked under CWE-98 and CWE-829, indicating inclusion of functionality from untrusted control sphere (NVD).

The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code within those files. This can be exploited to bypass access controls, obtain sensitive information, or achieve code execution in cases where images and other 'safe' file types can be uploaded and included. Files containing credentials, such as database configurations, could potentially lead to complete database takeover depending on the system configuration (WPScan).

Currently, there is no official fix available from the plugin developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement security measures immediately or consider using virtual patching solutions to protect their installations (Patchstack).