CVE-2024-4611

HIGH

AppPresser < 4.4.0 - Unauthenticated Authentication Bypass via Missing OpenSSL Exception Handling

Title source: llm

Description

The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133

Product

https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167

Product

https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40

Patch

https://plugins.trac.wordpress.org/changeset/3093975/apppresser

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve

Scores

CVSS v3 8.1

EPSS 0.0050

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-703 CWE-754

Status published

Products (2)

apppresser/apppresser < 4.4.0

scottopolis/AppPresser – Mobile App Framework < 4.3.2

Published May 29, 2024

Tracked Since Feb 18, 2026