This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical Authentication Bypass in Stacks Mobile App Builder. π **Consequences**: Attackers can bypass login checks, leading to full account takeover and unauthorized access to sensitive data.β¦
π‘οΈ **Root Cause**: CWE-288 (Improper Authentication). π **Flaw**: The `receive_request_checkout()` function fails to properly verify user identity before granting access.β¦
π’ **Vendor**: Stacks. π¦ **Product**: Stacks Mobile App Builder (WordPress Plugin). π **Affected Versions**: Version **5.2.3** and all earlier versions. If youβre running this, youβre exposed!
Q4What can hackers do? (Privileges/Data)
π€ **Privileges**: Full Admin/User Access. πΎ **Data**: Attackers can impersonate **any user** based on User ID. This means they can read, modify, or delete data associated with any account on the site.β¦
π₯ **Exploit**: YES. π **PoC**: Publicly available on GitHub (e.g., `RandomRobbieBF/CVE-2024-50477`). π **Detection**: Nuclei templates exist. Wild exploitation is likely imminent given the ease of access.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for the plugin version. π§ͺ **Test**: Use the provided PoC to attempt login via User ID manipulation. π‘ **Scan**: Run Nuclei templates targeting CVE-2024-50477.β¦
π§ **Workaround**: If patching isnβt possible, **disable the plugin** immediately. π **Block**: Restrict access to WordPress admin endpoints via WAF or firewall rules.β¦
π₯ **Priority**: CRITICAL. π¨ **Urgency**: HIGH. With CVSS High severity and public exploits, this is an active threat. Patch NOW or disable the plugin. Donβt wait for a breach!