CVE-2025-68860

Mobile builder <= 1.4.2 - Authentication Bypass

criticalAuthentication Bypass Using an Alternate Path or Channel
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Mobile builder plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to bypass authentication.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.4.2
PublishedDecember 26, 2025
Last updatedJanuary 6, 2026
Affected pluginmobile-builder
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68860 (Mobile builder) ## 1. Vulnerability Summary The **Mobile builder** plugin (<= 1.4.2) contains an authentication bypass vulnerability. This allows an unauthenticated attacker to gain access to a WordPress site, typically as an administrator, by utilizin…

Show full research plan

Exploitation Research Plan - CVE-2025-68860 (Mobile builder)

1. Vulnerability Summary

The Mobile builder plugin (<= 1.4.2) contains an authentication bypass vulnerability. This allows an unauthenticated attacker to gain access to a WordPress site, typically as an administrator, by utilizing an "alternate path"—an entry point intended for mobile app synchronization or previewing that fails to implement proper authentication or authorization checks.

2. Attack Vector Analysis

  • Vulnerable Endpoint (Inferred): Likely an unauthenticated AJAX handler (wp_ajax_nopriv_*) or a REST API route (register_rest_route) registered by the plugin.
  • Alternate Path (Inferred): A specific parameter (e.g., ?mobile_login=1, ?auth_key=..., or a custom action like mobile_builder_sync) that triggers a session creation or allows admin actions.
  • Authentication Level: Unauthenticated (PR:N).
  • Preconditions: The plugin must be active.

3. Code Flow (Tracing the Vulnerability)

Since source files are not provided, the research agent must identify the specific code path using the following search strategy:

  1. Identify Unauthenticated Entry Points:
    grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/mobile-builder/
    grep -rn "register_rest_route" /var/www/html/wp-content/plugins/mobile-builder/
    
  2. Search for Session/Authentication Sinks:
    Look for where the plugin might be logging a user in or setting authentication cookies:
    grep -rn "wp_set_auth_cookie\|wp_set_current_user\|wp_signon" /var/www/html/wp-content/plugins/mobile-builder/
    
  3. Trace the Logic:
    If a wp_ajax_nopriv_ handler calls a function that eventually leads to wp_set_auth_cookie without verifying a cryptographically secure token or password, that is the bypass.
    • Focus: Look for logic that accepts a user_id or username parameter and calls wp_set_auth_cookie( $user_id ).

4. Nonce Acquisition Strategy

If the vulnerable endpoint is an AJAX handler, it may require a nonce.

  1. Find the Nonce Creation:
    grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/mobile-builder/
    
  2. Locate the Localized Script:
    Look for wp_localize_script to see how the nonce is passed to the frontend:
    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/mobile-builder/
    
  3. Extraction Plan:
    • If a shortcode is required to load the script (e.g., [mobile_builder_preview]), create a page:
      wp post create --post_type=page --post_status=publish --post_content='[inferred_shortcode]'
    • Navigate to the page.
    • Use browser_eval to extract the nonce: window.mobile_builder_data?.nonce (Verify names against the wp_localize_script call found in step 2).

5. Exploitation Strategy

The goal is to trigger the authentication bypass and receive a valid wordpress_logged_in_* cookie.

Step 1: Trigger the Bypass

Assuming a vulnerable AJAX action found via grep (e.g., wp_ajax_nopriv_mobile_builder_login):

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Payload: action=mobile_builder_login&user_id=1&nonce=[EXTRACTED_NONCE] (Parameters inferred; adjust based on code analysis).

Step 2: Capture Cookies

The response to the vulnerable request should include Set-Cookie headers for:

  1. wordpress_logged_in_[HASH]
  2. wordpress_[HASH]

Step 3: Access Admin Area

Use the http_request tool to access /wp-admin/ using the captured cookies to confirm the bypass.

6. Test Data Setup

  1. Install and activate mobile-builder version 1.4.2.
  2. Ensure a user with ID 1 (standard admin) exists.
  3. (If needed) Create a page with the plugin's shortcode to facilitate nonce extraction.

7. Expected Results

  • The bypass request returns a 200 OK or 302 Found.
  • The response headers contain authentication cookies.
  • A subsequent request to /wp-admin/ using these cookies returns the administrative dashboard rather than a login screen.

8. Verification Steps

After the HTTP exploit, verify the bypass status via WP-CLI:

# Check the last login time for the admin user (if the plugin updates it)
wp user get 1 --field=user_login

# Or verify the state of any option modified by the bypass
wp option get mobile_builder_settings

9. Alternative Approaches

  • REST API Path: If no AJAX handlers look promising, check for REST routes registered with 'permission_callback' => '__return_true' or missing the callback entirely.
  • Initialization Hooks: Check init or plugins_loaded in the main plugin file for code that checks isset($_REQUEST['mobile_builder_auth']) and calls wp_set_auth_cookie directly. This bypasses the AJAX/REST infrastructure entirely.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Mobile builder plugin for WordPress (versions <= 1.4.2) is vulnerable to a critical authentication bypass. This flaw allows unauthenticated attackers to bypass authentication and gain administrative access by exploiting an improperly secured 'alternate path' designed for mobile app synchronization or previewing.

Exploit Outline

To exploit this vulnerability, an attacker must identify an unauthenticated entry point (such as a wp_ajax_nopriv_ handler or a REST API route) registered by the plugin that lacks proper authorization checks. If a nonce is required, it can be extracted from the localized script data in the site's frontend source code. The attacker then sends a crafted request to this endpoint, passing a target user ID (typically 1 for the site administrator). If successful, the server responds with a Set-Cookie header containing valid wordpress_logged_in_* cookies, which the attacker can then use to access the administrative dashboard.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.