Does Mobile builder have any unpatched vulnerabilities?

Yes — Mobile builder currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Mobile builder compatible with WordPress 5.6.17?

According to WordPress.org data, Mobile builder 1.4.2 has been tested up to WordPress 5.6.17. Check the plugin's changelog for the latest compatibility information.

Is Mobile builder compatible with PHP 7.0+?

Mobile builder requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Mobile builder updated?

Mobile builder was last updated on Dec 30, 2020. Frequent updates are generally a positive security signal.

What is Mobile builder's security score?

Mobile builder has a WP-Safety security score of 55/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Mobile builder Security & Risk Analysis

wordpress.org/plugins/mobile-builder

The most advanced drag & drop app builder. Create multi templates and app controls.

100 active installs v1.4.2 PHP 7.0+ WP 5.3+ Updated Dec 30, 2020

app-buildermobile-builderreact-nativernlabwoocommerce-mobile-app

C · Use Caution

CVEs total1

Unpatched1

Last CVEDec 26, 2025

Plugin page Download

Safety Verdict

Is Mobile builder Safe to Use in 2026?

Use With Caution

Score 55/100

Mobile builder has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 26, 2025Updated 5yr ago

Risk Assessment

The "mobile-builder" v1.4.2 plugin presents a mixed security posture. While the plugin demonstrates some good practices such as a high percentage of SQL queries using prepared statements and a reasonable rate of output escaping, several significant concerns warrant attention. The static analysis reveals no direct unprotected entry points into the plugin's attack surface, which is a positive sign. However, the taint analysis highlights critical issues with 4 high-severity flows containing unsanitized paths, indicating potential vulnerabilities where user input could be used in unintended ways, possibly leading to path traversal or other file system-related attacks.

The vulnerability history is particularly concerning, with one known critical CVE that remains unpatched. The nature of this past vulnerability, "Authentication Bypass Using an Alternate Path or Channel," aligns with the findings from the taint analysis, suggesting a recurring or related issue. The fact that a critical vulnerability exists and is unpatched, combined with high-severity taint flows, indicates a significant risk that could be actively exploitable.

In conclusion, despite some positive aspects like a limited attack surface and good SQL practices, the presence of an unpatched critical CVE and critical taint flows significantly elevates the risk associated with this plugin. The plugin's historical tendency towards authentication bypass vulnerabilities, coupled with current code signals pointing to unsanitized paths, suggests a need for immediate review and patching to mitigate potential security breaches.

Key Concerns

Unpatched critical CVE found
High severity taint flows
Flows with unsanitized paths found
No nonce checks on entry points
Less than 100% output escaping

Vulnerabilities

Mobile builder Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2025-68860critical · 9.8Authentication Bypass Using an Alternate Path or Channel

Mobile builder <= 1.4.2 - Authentication Bypass

Dec 26, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Mobile builder Code Analysis

Dangerous Functions

Raw SQL Queries

17 prepared

Unescaped Output

42 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

85% prepared20 total queries

Output Escaping

70% escaped60 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

7 flows7 with unsanitized paths

<form-checkout> (templates\checkout\form-checkout.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Mobile builder Attack Surface

Entry Points2

Unprotected0

REST API Routes 2

GET/wp-json/wc/v3min-max-pricesapi\class-mobile-builder-products.php:67

GET/wp-json/wc/v3products-distanceproduct\class-mobile-builder-product.php:75

WordPress Hooks 38

actionshutdownapi\class-mobile-builder-cart.php:276

actionshutdownincludes\class-mobile-builder-session-handler.php:55

actionwp_logoutincludes\class-mobile-builder-session-handler.php:56

filternonce_user_logged_outincludes\class-mobile-builder-session-handler.php:59

actionplugins_loadedincludes\class-mobile-builder.php:180

actionrest_api_initincludes\class-mobile-builder.php:195

actionadmin_menuincludes\class-mobile-builder.php:198

actionrest_api_initincludes\class-mobile-builder.php:212

actionrest_api_initincludes\class-mobile-builder.php:216

actionwp_loadedincludes\class-mobile-builder.php:217

filterwoocommerce_persistent_cart_enabledincludes\class-mobile-builder.php:218

actionwoocommerce_load_cart_from_sessionincludes\class-mobile-builder.php:219

actionwoocommerce_thankyouincludes\class-mobile-builder.php:220

actionrest_api_initincludes\class-mobile-builder.php:224

filterposts_clausesincludes\class-mobile-builder.php:226

filterposts_clausesincludes\class-mobile-builder.php:228

filterposts_clausesincludes\class-mobile-builder.php:229

actionwcfmd_after_delivery_boy_assignedincludes\class-mobile-builder.php:230

actionwoocommerce_order_status_changedincludes\class-mobile-builder.php:231

actionafter_wcfm_notificationincludes\class-mobile-builder.php:232

actionrest_api_initincludes\class-mobile-builder.php:236

actionrest_api_initincludes\class-mobile-builder.php:240

filterwoocommerce_rest_product_object_queryincludes\class-mobile-builder.php:241

filterwoocommerce_rest_prepare_product_objectincludes\class-mobile-builder.php:242

filterwoocommerce_rest_prepare_product_variation_objectincludes\class-mobile-builder.php:246

filterwoocommerce_rest_prepare_product_variation_objectincludes\class-mobile-builder.php:249

filterwoocommerce_rest_prepare_product_attributeincludes\class-mobile-builder.php:253

filterwoocommerce_rest_prepare_pa_colorincludes\class-mobile-builder.php:255

filterwoocommerce_rest_prepare_pa_imageincludes\class-mobile-builder.php:256

actionrest_api_initincludes\class-mobile-builder.php:286

filterdetermine_current_userincludes\class-mobile-builder.php:287

actionwp_enqueue_scriptsincludes\class-mobile-builder.php:299

filterdigits_rest_token_dataincludes\class-mobile-builder.php:305

actionrest_api_initincludes\class-mobile-builder.php:320

filterwoocommerce_rest_prepare_product_objectincludes\class-mobile-builder.php:323

filterwoocommerce_rest_prepare_product_catincludes\class-mobile-builder.php:327

filterthe_titleincludes\class-mobile-builder.php:331

filterwcml_client_currencyincludes\class-mobile-builder.php:334

Maintenance & Trust

Mobile builder Maintenance & Trust

Maintenance Signals

WordPress version tested5.6.17

Last updatedDec 30, 2020

PHP min version7.0

Downloads16K

Community Trust

Rating74/100

Number of ratings3

Active installs100

Alternatives

Mobile builder Alternatives

AppMySite – WordPress & WooCommerce Mobile App Builder (No-Code Android & iOS App Maker)

appmysite

Turn your WordPress or WooCommerce site into a native Android & iOS app in minutes — no coding required.

8K 2 CVEs

TC Ecommerce – Create Android & iOS Apps for WooCommerce

tc-ecommerce

TC eCommerce Plugin is complete mobile app solution for android and iOS platform with WordPress WooCommerce as backend.

30 2 CVEs

B2App – Android & iOS native apps builder without using code

b2app-no-code-mobile-app-builder

This Plugin is used for convert WooCommerce store to Android & iOS mobile app without using code.

10 No CVEs

WP Data Access – No-Code App Builder with Tables, Forms, Charts & Maps

wp-data-access

Turn your data into WordPress apps with tables, forms, charts & maps — no code required, with optional hooks for developers. Supports 35+ languages.

10K 6 CVEs

MStore API – Create Native Android & iOS Apps On The Cloud

mstore-api

Take your WordPress store mobile with MStore API! This plugin bridges the gap between your WordPress website and the powerful FluxBuilder app builder.

3K 28 CVEs

Developer Profile

Mobile builder Developer Profile

Mobile Builder

1 plugin · 100 total installs

trust score

Avg Security Score

55/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Mobile builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/mobile-builder/assets/css/admin.css/wp-content/plugins/mobile-builder/assets/js/admin.js

Script Paths

https://cdnjs.rnlab.io/1.4.2/static/js/main.js

Version Parameters

mobile-builder/style.css?ver=mobile-builder/script.js?ver=https://cdnjs.rnlab.io/1.4.2/static/css/main.css?ver=https://cdnjs.rnlab.io/1.4.2/static/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes

mobile-builder-editor

Data Attributes

data-mobile-builder-componentdata-mobile-builder-editor

JS Globals

wp_rnlab_configs

REST Endpoints

/wp-json/mobile-builder/v1/template-mobile/wp-json/mobile-builder/v1/configs/wp-json/mobile-builder/v1/license

FAQ