CVE-2024-4611
AppPresser <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.
| CWE | CWE-703 |
| Vendor | scottopolis |
| Product | apppresser – mobile app framework |
| Published | May 29, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for scottopolis apppresser – mobile app framework
Be the first to know when new high vulnerabilities affecting scottopolis apppresser – mobile app framework are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
scottopolis / AppPresser – Mobile App Framework
0 ≤ 4.3.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3093975/apppresser
Credits
István Márton