Skip to main content

Stacks Mobile App Builder CVE-2024-50477

CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2024-10-28 audit@patchstack.com
Authentication Bypass
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
PoC Detected
Apr 01, 2026 - 16:19 vuln.today
Public exploit code
CVE Published
Oct 28, 2024 - 12:15 nvd
CRITICAL 9.8

DescriptionNVD

Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3.

AnalysisAI

Authentication bypass in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) allows unauthenticated remote attackers to circumvent login controls via an alternate path or channel, leading to full compromise of confidentiality, integrity, and availability. Publicly available exploit code exists, and EPSS scores this at 81.93% (99th percentile), indicating significant exploitation likelihood, though it is not currently listed in CISA KEV. The flaw is reported through Patchstack's audit program and affects WordPress installations using this plugin.

Technical ContextAI

The vulnerability is a CWE-288 (Authentication Bypass Using an Alternate Path or Channel) affecting the Stacks Mobile App Builder plugin distributed for WordPress (CPE: cpe:2.3:a:stacksmarket:stacks_mobile_app_builder:*:*:*:*:*:wordpress:*:*). CWE-288 typically arises when a product exposes an authentication-required function through a secondary endpoint, API route, or AJAX handler that fails to invoke the primary authentication check. In WordPress plugin contexts, this commonly manifests as REST API endpoints, admin-ajax actions, or custom rewrite rules registered without proper capability or nonce verification, letting attackers reach privileged functionality directly.

RemediationAI

Upgrade the Stacks Mobile App Builder plugin to a version newer than 5.2.3 once released by the vendor; consult the Patchstack advisory (reporter: audit@patchstack.com) for the exact fixed version, as a specific patched release was not confirmed in the provided input. If an immediate upgrade is not feasible, deactivate and remove the plugin entirely (trade-off: loss of mobile app builder functionality) or restrict access to the WordPress site's wp-json REST API and admin-ajax.php endpoints via a web application firewall rule scoped to the plugin's namespace/actions (trade-off: may break legitimate mobile app integrations). Monitor wp-content/plugins/stacks-mobile-app-builder for unexpected files and review WordPress user accounts for unauthorized additions or role escalations.

Share

CVE-2024-50477 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy