Skip to main content

Mobile Builder Mobile CVE-2025-68860

CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2025-12-29 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
9.8 (CRITICAL)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 22:15 nvd
N/A

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2.

AnalysisAI

Mobile Builder WordPress plugin versions 1.4.2 and earlier contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through alternate paths or channels. The plugin fails to properly validate user credentials or session tokens, potentially enabling unauthorized access to sensitive functionality. With an EPSS score of 0.10% indicating low exploitation probability and no confirmed active exploitation, this represents a lower-priority vulnerability that should still be addressed through patching.

Technical ContextAI

This vulnerability stems from CWE-288 (Authentication Using an Alternate Path or Channel), a class of flaws where authentication logic is incompletely implemented or can be bypassed by accessing the application through different entry points. Mobile Builder is a WordPress plugin that facilitates mobile application development and management. The root cause involves improper authentication validation in one or more API endpoints or administrative functions, likely allowing attackers to either skip authentication checks entirely or exploit logic flaws that treat certain request paths as authenticated when they should require credential verification.

Affected ProductsAI

Mobile Builder WordPress plugin through version 1.4.2 is affected. The vulnerability impacts all installations running the plugin at version 1.4.2 or earlier. Additional version history details are not available from the provided references.

RemediationAI

Update Mobile Builder WordPress plugin to a patched version released after 1.4.2. Consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve) for the specific fixed version number and installation instructions. In the interim, restrict access to the plugin's administrative functions using web application firewall rules or WordPress user role restrictions if available.

Share

CVE-2025-68860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy