CVE-2025-68860

2025-12-29 [email protected]
Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 22:15 nvd
N/A

DescriptionNVD

Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2.

AnalysisAI

Mobile Builder WordPress plugin versions 1.4.2 and earlier contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through alternate paths or channels. The plugin fails to properly validate user credentials or session tokens, potentially enabling unauthorized access to sensitive functionality. With an EPSS score of 0.10% indicating low exploitation probability and no confirmed active exploitation, this represents a lower-priority vulnerability that should still be addressed through patching.

Technical ContextAI

This vulnerability stems from CWE-288 (Authentication Using an Alternate Path or Channel), a class of flaws where authentication logic is incompletely implemented or can be bypassed by accessing the application through different entry points. Mobile Builder is a WordPress plugin that facilitates mobile application development and management. The root cause involves improper authentication validation in one or more API endpoints or administrative functions, likely allowing attackers to either skip authentication checks entirely or exploit logic flaws that treat certain request paths as authenticated when they should require credential verification.

Affected ProductsAI

Mobile Builder WordPress plugin through version 1.4.2 is affected. The vulnerability impacts all installations running the plugin at version 1.4.2 or earlier. Additional version history details are not available from the provided references.

RemediationAI

Update Mobile Builder WordPress plugin to a patched version released after 1.4.2. Consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve) for the specific fixed version number and installation instructions. In the interim, restrict access to the plugin's administrative functions using web application firewall rules or WordPress user role restrictions if available.

Share

CVE-2025-68860 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy