Unauthenticated attackers can log in as any existing user on the site, including administrators, via the plugin API
CVE-2024-4611
8.1HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 29 May 2024
What is CVE-2024-4611?
The AppPresser plugin for WordPress has a vulnerability related to improper missing encryption exception handling in the 'decrypt_value' and 'doCookieAuth' functions. All versions up to and including 4.3.2 are affected. This vulnerability permits unauthenticated attackers to gain access as any existing user, including administrative accounts, provided the user previously logged in through the plugin API. The exploitation of this vulnerability is contingent upon the absence of the 'openssl' PHP extension on the server, which can potentially leave sites exposed to unauthorized access and compromise.
Affected Version(s)
AppPresser – Mobile App Framework * <= 4.3.2