CVE-2024-4611

HIGH

Apppresser < 4.4.0 - Improper Condition Check

Title source: rule

Description

The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.

References (5)

[Product] https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133

[Product] https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167

[Product] https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40

[Patch] https://plugins.trac.wordpress.org/changeset/3093975/apppresser

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve

Scores

CVSS v3 8.1

EPSS 0.0179

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-703 CWE-754

Status published

Products (2)

apppresser/apppresser < 4.4.0

scottopolis/AppPresser – Mobile App Framework < 4.3.2

Published May 29, 2024

Tracked Since Feb 18, 2026