The Stacks Mobile App Builder plugin for WordPress, version 5.2.3 and earlier, contains a critical authentication bypass vulnerability identified as CVE-2024-50477. This vulnerability allows an attacker to perform an account takeover by exploiting improper authentication mechanisms within the plugin. Specifically, by appending crafted query parameters `?mobile_co=1&uid=1` to the target WordPress site URL, an attacker can impersonate any user by specifying their user ID. User ID 1 typically corresponds to the site administrator account, granting the attacker full administrative privileges. Upon accessing the URL with these parameters, the attacker receives an authentication cookie for the targeted user ID without needing valid credentials or prior authentication. This cookie can then be used to access the WordPress admin dashboard (`/wp-admin`), effectively bypassing all authentication controls. The exploit has been tested on Ubuntu 24.10 within a Docker environment, confirming its reliability. The root cause is the plugin's failure to properly validate and sanitize user input in URL parameters, allowing unauthorized session creation. No official patch or fix links are currently available, and while no known widespread exploitation has been reported yet, the availability of public exploit code increases the risk of imminent attacks. The vulnerability affects websites using the Stacks Mobile App Builder plugin, which is popular for creating mobile apps integrated with WordPress sites. Given the high privileges gained through this bypass, attackers can manipulate site content, inject malicious code, steal sensitive data, or use the compromised site as a launchpad for further attacks.

For European organizations, this vulnerability poses a significant risk, especially those relying on WordPress sites enhanced with the Stacks Mobile App Builder plugin. Successful exploitation results in full administrative control over the affected WordPress site, compromising confidentiality, integrity, and availability. Attackers can deface websites, steal customer data, implant malware, or disrupt business operations. Given the widespread use of WordPress across Europe for corporate, governmental, and e-commerce websites, the impact could be severe. Organizations handling personal data under GDPR face potential regulatory penalties if breaches occur. Additionally, compromised sites may be used to distribute malware or phishing campaigns targeting European users, amplifying the threat. The ease of exploitation without authentication or user interaction lowers the barrier for attackers, increasing the likelihood of attacks. The lack of a patch means organizations remain vulnerable until mitigations are applied or updates are released. This threat can also damage brand reputation and customer trust for affected entities.

1. Immediately disable or uninstall the Stacks Mobile App Builder plugin until a secure patched version is released to eliminate the attack vector. 2. Restrict access to the WordPress admin dashboard by implementing IP whitelisting or enforcing VPN-only access to reduce exposure to unauthorized users. 3. Deploy Web Application Firewall (WAF) rules specifically designed to detect and block requests containing suspicious query parameters such as `mobile_co` and `uid`, or anomalous authentication cookie issuance patterns. 4. Continuously monitor web server and WordPress logs for unusual access patterns, particularly requests with the exploit parameters or unexpected administrative logins, to detect potential exploitation attempts early. 5. Enforce strong multi-factor authentication (MFA) for all WordPress administrator accounts to add an additional security layer, although this may not fully prevent cookie-based bypass, it can help mitigate other attack vectors. 6. Regularly back up WordPress sites and databases to enable rapid restoration in case of compromise. 7. Follow vendor channels and security advisories closely for patch releases and apply updates promptly once available. 8. Conduct thorough security audits and penetration testing focusing on WordPress plugins and authentication mechanisms to identify and remediate similar vulnerabilities proactively.