CVE-2024-50527: 
WordPress vulnerability analysis and mitigation

The Stacks Mobile App Builder WordPress plugin version 5.2.3 and earlier contains an Unrestricted Upload of File with Dangerous Type vulnerability that allows attackers to upload a web shell to a web server. The vulnerability was discovered and reported on October 14, 2024, and publicly disclosed on October 30, 2024 (Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NIST NVD, while Patchstack assigned it a CVSS score of 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is particularly severe as it requires no authentication to exploit (NVD).

This vulnerability allows malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website. Given its critical severity rating and the lack of authentication requirements, this vulnerability is expected to become mass exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website owners are advised to implement mitigation measures immediately (Patchstack).