WordPress Plugin Vulnerabilities

Stacks Mobile App Builder <= 5.2.3 - Authentication Bypass

Description

The plugin is vulnerable to authentication bypass due to the plugin not properly verifying a user's identity prior to authenticating them via the receive_request_checkout() function. This makes it possible for unauthenticated attackers to log in as any user based on user ID.

Affects Plugins

Plugin icon
stacks-mobile-app-builder
No known fix

References

CVE
CVE-2024-50477
URL
https://patchstack.com/database/vulnerability/stacks-mobile-app-builder/wordpress-stacks-mobile-app-builder-plugin-5-2-3-account-takeover-vulnerability

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
a24129b5-4179-4e93-9e45-a53fdfa1c9e6

Timeline

Publicly Published
2024-10-25 (about 1 year ago)
Added
2024-11-04 (about 1 year ago)
Last Updated
2024-11-04 (about 1 year ago)

Other

Published
Title
Published
2020-01-14
Title
InfiniteWP Client < 1.9.4.5 - Authentication Bypass
Published
2022-11-04
Title
Jeg Elementor Kit < 2.5.7 - Subscriber+ Authorization Bypass
Published
2025-04-07
Title
Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
Published
2014-08-01
Title
Portable phpMyAdmin 1.4.1 - Multiple Script Direct Request Authentication Bypass
Published
2024-11-05
Title
Social Share, Social Login and Social Comments Plugin – Super Socializer < 7.14 - Authentication Bypass