Stacks Mobile App Builder CVE-2024-50527
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Upload a Web Shell to a Web Server.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3.
AnalysisAI
Unrestricted file upload in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) permits remote unauthenticated attackers to upload arbitrary files, including web shells, to vulnerable WordPress sites. The CVSS 10.0 score with a scope-changed vector reflects full compromise potential of the underlying web server, though no public exploit has been identified at time of analysis and the EPSS score of 0.89% (75th percentile) suggests no widespread exploitation observed yet.
Technical ContextAI
The vulnerability is a CWE-434 (Unrestricted Upload of File with Dangerous Type) flaw in the Stacks Mobile App Builder plugin for WordPress, identified by the CPE string cpe:2.3:a:stacksmarket:stacks_mobile_app_builder. This plugin extends WordPress with mobile application building functionality, and the flaw exists in a file upload handler that fails to validate or restrict uploaded file extensions, content types, or MIME types. As a result, executable PHP scripts (web shells) can be written into a location accessible by the PHP interpreter, allowing arbitrary server-side code execution within the WordPress process context.
RemediationAI
No vendor-released patch version was provided in the available data; administrators should consult the Patchstack advisory database for the Stacks Mobile App Builder plugin and upgrade to any version newer than 5.2.3 if available. As immediate compensating controls, deactivate and remove the Stacks Mobile App Builder plugin from affected WordPress installations (trade-off: loss of mobile app builder functionality), or block external access to the plugin's upload endpoints at the web application firewall or web server level by denying POST requests to the plugin's directory under wp-content/plugins/stacks-mobile-app-builder/ (trade-off: may break legitimate administrative use). Additionally, restrict PHP execution within wp-content/uploads/ via web server configuration to prevent execution of uploaded shells (trade-off: minimal, recommended as a general WordPress hardening practice). Audit the uploads directory for unexpected PHP, .phtml, or other executable files indicative of prior compromise.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today