Overview

• Security researchers at Wiz disclosed on July 9 that undocumented registration and OTP verification endpoints in Base44’s API allowed bypassing Single Sign-On using only a public app_id.
• The flaw enabled attackers to create verified accounts for private applications, potentially exposing HR records, personal data, internal chatbots and automation tools.
• Wix deployed a server-side fix within 24 hours of notification and confirmed there is no evidence the vulnerability was exploited.
• The incident underscores the dangers of shared infrastructure in vibe coding platforms, where a single flaw can jeopardize all hosted enterprise apps.
• Customers are not required to take any action beyond routine application log monitoring following the silent patch.