Potential Privilege Escalation Vulnerability in AppPresser Mobile App Framework Plugin for WordPress
CVE-2024-11024

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Apppresser – Mobile App Framework
Vendor: CVE Published:; 26 November 2024

Summary

The AppPresser Mobile App Framework plugin for WordPress has a vulnerability that enables privilege escalation through account takeover. In versions up to and including 4.4.6, the plugin fails to correctly validate a user's password reset code before allowing a password update. This oversight permits unauthorized attackers, who possess a user's email address, to reset the user's password and potentially gain access to their account. This vulnerability underscores the need for robust security measures to properly validate user actions and safeguard personal information.

Affected Version(s)

AppPresser – Mobile App Framework * <= 4.4.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3192531/appp...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 8, 2024

Credit

Khayal Farzaliyev