Unauthenticated attackers can log in as any existing user on the site, including administrators, via the plugin API
CVE-2024-4611

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Apppresser – Mobile App Framework
Vendor: CVE Published:; 29 May 2024

Summary

The AppPresser plugin for WordPress has a vulnerability related to improper missing encryption exception handling in the 'decrypt_value' and 'doCookieAuth' functions. All versions up to and including 4.3.2 are affected. This vulnerability permits unauthenticated attackers to gain access as any existing user, including administrative accounts, provided the user previously logged in through the plugin API. The exploitation of this vulnerability is contingent upon the absence of the 'openssl' PHP extension on the server, which can potentially leave sites exposed to unauthorized access and compromise.

Affected Version(s)

AppPresser – Mobile App Framework * <= 4.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/apppresser/tru...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 29, 2024
Vulnerability Reserved
May 7, 2024

Credit

István Márton