{"api_version":"1","generated_at":"2026-04-10T06:31:20+00:00","cve":"CVE-2024-4611","urls":{"html":"https://cve.report/CVE-2024-4611","api":"https://cve.report/api/cve/CVE-2024-4611.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-4611","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-4611"},"summary":{"title":"AppPresser <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass","description":"The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-05-29 05:16:08","updated_at":"2026-04-08 19:21:42"},"problem_types":["CWE-703","CWE-754","CWE-703 CWE-703 Improper Check or Handling of Exceptional Conditions"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167","name":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3093975/apppresser","name":"https://plugins.trac.wordpress.org/changeset/3093975/apppresser","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133","name":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40","name":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-4611","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4611","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"scottopolis","product":"AppPresser – Mobile App Framework","version":"affected 4.3.2 semver","platforms":[]},{"source":"ADP","vendor":"apppresser","product":"apppresser","version":"affected 4.3.2 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-05-07T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2024-05-07T00:00:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2024-05-28T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"István Márton","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"4611","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apppresser","cpe5":"apppresser","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"4611","cve":"CVE-2024-4611","epss":"0.017870000","percentile":"0.827300000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:02"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:a:apppresser:apppresser:-:*:*:*:*:wordpress:*:*"],"defaultStatus":"unknown","product":"apppresser","vendor":"apppresser","versions":[{"lessThanOrEqual":"4.3.2","status":"affected","version":"0","versionType":"custom"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-4611","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-05-30T15:40:42.572321Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-04T17:56:31.986Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T20:47:41.366Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/3093975/apppresser"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"AppPresser – Mobile App Framework","vendor":"scottopolis","versions":[{"lessThanOrEqual":"4.3.2","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"István Márton"}],"descriptions":[{"lang":"en","value":"The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server."}],"metrics":[{"cvssV3_1":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-703","description":"CWE-703 Improper Check or Handling of Exceptional Conditions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:25:08.103Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167"},{"url":"https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133"},{"url":"https://plugins.trac.wordpress.org/changeset/3093975/apppresser"}],"timeline":[{"lang":"en","time":"2024-05-07T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2024-05-07T00:00:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2024-05-28T00:00:00.000Z","value":"Disclosed"}],"title":"AppPresser <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-4611","datePublished":"2024-05-29T04:30:14.177Z","dateReserved":"2024-05-07T14:59:27.872Z","dateUpdated":"2026-04-08T17:25:08.103Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-29 05:16:08","lastModifiedDate":"2026-04-08 19:21:42","problem_types":["CWE-703","CWE-754","CWE-703 CWE-703 Improper Check or Handling of Exceptional Conditions"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apppresser:apppresser:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"4.4.0","matchCriteriaId":"A5532E6B-4C82-48CE-A6EA-8A3C472F9900"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"4611","Ordinal":"1","Title":"AppPresser <= 4.3.2 - Improper Missing Encryption Exception Hand","CVE":"CVE-2024-4611","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"4611","Ordinal":"1","NoteData":"The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.","Type":"Description","Title":"AppPresser <= 4.3.2 - Improper Missing Encryption Exception Hand"}]}}}