Mobile builder <= 1.4.2 - Authentication Bypass
Description
The Mobile builder plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to bypass authentication.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.4.2# Exploitation Research Plan - CVE-2025-68860 (Mobile builder) ## 1. Vulnerability Summary The **Mobile builder** plugin (<= 1.4.2) contains an authentication bypass vulnerability. This allows an unauthenticated attacker to gain access to a WordPress site, typically as an administrator, by utilizin…
Show full research plan
Exploitation Research Plan - CVE-2025-68860 (Mobile builder)
1. Vulnerability Summary
The Mobile builder plugin (<= 1.4.2) contains an authentication bypass vulnerability. This allows an unauthenticated attacker to gain access to a WordPress site, typically as an administrator, by utilizing an "alternate path"—an entry point intended for mobile app synchronization or previewing that fails to implement proper authentication or authorization checks.
2. Attack Vector Analysis
- Vulnerable Endpoint (Inferred): Likely an unauthenticated AJAX handler (
wp_ajax_nopriv_*) or a REST API route (register_rest_route) registered by the plugin. - Alternate Path (Inferred): A specific parameter (e.g.,
?mobile_login=1,?auth_key=..., or a custom action likemobile_builder_sync) that triggers a session creation or allows admin actions. - Authentication Level: Unauthenticated (PR:N).
- Preconditions: The plugin must be active.
3. Code Flow (Tracing the Vulnerability)
Since source files are not provided, the research agent must identify the specific code path using the following search strategy:
- Identify Unauthenticated Entry Points:
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/mobile-builder/ grep -rn "register_rest_route" /var/www/html/wp-content/plugins/mobile-builder/ - Search for Session/Authentication Sinks:
Look for where the plugin might be logging a user in or setting authentication cookies:grep -rn "wp_set_auth_cookie\|wp_set_current_user\|wp_signon" /var/www/html/wp-content/plugins/mobile-builder/ - Trace the Logic:
If awp_ajax_nopriv_handler calls a function that eventually leads towp_set_auth_cookiewithout verifying a cryptographically secure token or password, that is the bypass.- Focus: Look for logic that accepts a
user_idorusernameparameter and callswp_set_auth_cookie( $user_id ).
- Focus: Look for logic that accepts a
4. Nonce Acquisition Strategy
If the vulnerable endpoint is an AJAX handler, it may require a nonce.
- Find the Nonce Creation:
grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/mobile-builder/ - Locate the Localized Script:
Look forwp_localize_scriptto see how the nonce is passed to the frontend:grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/mobile-builder/ - Extraction Plan:
- If a shortcode is required to load the script (e.g.,
[mobile_builder_preview]), create a page:wp post create --post_type=page --post_status=publish --post_content='[inferred_shortcode]' - Navigate to the page.
- Use
browser_evalto extract the nonce:window.mobile_builder_data?.nonce(Verify names against thewp_localize_scriptcall found in step 2).
- If a shortcode is required to load the script (e.g.,
5. Exploitation Strategy
The goal is to trigger the authentication bypass and receive a valid wordpress_logged_in_* cookie.
Step 1: Trigger the Bypass
Assuming a vulnerable AJAX action found via grep (e.g., wp_ajax_nopriv_mobile_builder_login):
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Payload:
action=mobile_builder_login&user_id=1&nonce=[EXTRACTED_NONCE](Parameters inferred; adjust based on code analysis).
Step 2: Capture Cookies
The response to the vulnerable request should include Set-Cookie headers for:
wordpress_logged_in_[HASH]wordpress_[HASH]
Step 3: Access Admin Area
Use the http_request tool to access /wp-admin/ using the captured cookies to confirm the bypass.
6. Test Data Setup
- Install and activate
mobile-builderversion 1.4.2. - Ensure a user with ID 1 (standard admin) exists.
- (If needed) Create a page with the plugin's shortcode to facilitate nonce extraction.
7. Expected Results
- The bypass request returns a
200 OKor302 Found. - The response headers contain authentication cookies.
- A subsequent request to
/wp-admin/using these cookies returns the administrative dashboard rather than a login screen.
8. Verification Steps
After the HTTP exploit, verify the bypass status via WP-CLI:
# Check the last login time for the admin user (if the plugin updates it)
wp user get 1 --field=user_login
# Or verify the state of any option modified by the bypass
wp option get mobile_builder_settings
9. Alternative Approaches
- REST API Path: If no AJAX handlers look promising, check for REST routes registered with
'permission_callback' => '__return_true'or missing the callback entirely. - Initialization Hooks: Check
initorplugins_loadedin the main plugin file for code that checksisset($_REQUEST['mobile_builder_auth'])and callswp_set_auth_cookiedirectly. This bypasses the AJAX/REST infrastructure entirely.
Summary
The Mobile builder plugin for WordPress (versions <= 1.4.2) is vulnerable to a critical authentication bypass. This flaw allows unauthenticated attackers to bypass authentication and gain administrative access by exploiting an improperly secured 'alternate path' designed for mobile app synchronization or previewing.
Exploit Outline
To exploit this vulnerability, an attacker must identify an unauthenticated entry point (such as a wp_ajax_nopriv_ handler or a REST API route) registered by the plugin that lacks proper authorization checks. If a nonce is required, it can be extracted from the localized script data in the site's frontend source code. The attacker then sends a crafted request to this endpoint, passing a target user ID (typically 1 for the site administrator). If successful, the server responds with a Set-Cookie header containing valid wordpress_logged_in_* cookies, which the attacker can then use to access the administrative dashboard.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.