Cyber Posture

CVE-2025-68860

CriticalUpdated

Published: 29 December 2025

Published
29 December 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68860 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access, directly preventing unauthorized exploitation via authentication bypass alternate paths in the Mobile Builder plugin.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits and documents specific actions permitted without identification or authentication, mitigating bypass vulnerabilities that allow unauthorized plugin functions.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws, such as patching Mobile Builder versions through 1.4.2 to eliminate the authentication bypass vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder mobile-builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through <= 1.4.2.

Deeper analysisAI

CVE-2025-68860 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) that enables authentication abuse in the Mobile Builder WordPress plugin (mobile-builder). This issue affects all versions from an unspecified starting point through 1.4.2. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

Remote attackers require no authentication or privileges to exploit this vulnerability over the network. Successful exploitation allows attackers to bypass authentication mechanisms entirely, potentially granting unauthorized access to plugin functions and enabling severe compromise of affected WordPress sites.

Patchstack has published an advisory detailing the broken authentication vulnerability in WordPress Mobile Builder plugin version 1.4.2, available at https://patchstack.com/database/Wordpress/Plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve. Security practitioners should review this reference for specific mitigation steps, such as applying available patches or updates beyond version 1.4.2.

Details

CWE(s)
CWE-288

CVEs Like This One

CVE-2025-0749Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-10484Shared CWE-288
CVE-2025-62064Shared CWE-288
CVE-2025-63217Shared CWE-288
CVE-2025-64236Shared CWE-288
CVE-2025-13539Shared CWE-288
CVE-2025-67915Shared CWE-288
CVE-2024-26009Shared CWE-288
CVE-2025-6388Shared CWE-288

References