CVE-2024-11024

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. This is due to the plugin not properly validating a user's password reset code prior to updating their password. This makes it possible for unauthenticated attackers, with knowledge of a user's email address, to reset the user's password and gain access to their account.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3192531/apppresser	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apppresser:apppresser:*:*:*:*:*:wordpress:*:*

History

05 Jun 2025, 17:01

Type	Values Removed	Values Added
First Time		Apppresser Apppresser apppresser
CPE		cpe:2.3:a:apppresser:apppresser::::::wordpress::*
References	~~() https://plugins.trac.wordpress.org/changeset/3192531/apppresser -~~	() https://plugins.trac.wordpress.org/changeset/3192531/apppresser - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve - Third Party Advisory

Information

Published : 2024-11-26 11:21

Updated : 2025-06-05 17:01

NVD link : CVE-2024-11024

Mitre link : CVE-2024-11024

CVE.ORG link : CVE-2024-11024

JSON object : View

Products Affected

apppresser

apppresser

CWE

CWE-230

Improper Handling of Missing Values

{"id": "CVE-2024-11024", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-11-26T11:21:58.660", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3192531/apppresser", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43cb0399-4add-43d5-863c-30e11803bd90?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-230"}]}], "descriptions": [{"lang": "en", "value": "The AppPresser \u2013 Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. This is due to the plugin not properly validating a user's password reset code prior to updating their password. This makes it possible for unauthenticated attackers, with knowledge of a user's email address, to reset the user's password and gain access to their account."}, {"lang": "es", "value": "El complemento AppPresser \u2013 Mobile App Framework para WordPress es vulnerable a la escalada de privilegios mediante la apropiaci\u00f3n de cuentas en todas las versiones hasta la 4.4.6 incluida. Esto se debe a que el complemento no valida correctamente el c\u00f3digo de restablecimiento de contrase\u00f1a de un usuario antes de actualizar su contrase\u00f1a. Esto hace posible que atacantes no autenticados, con conocimiento de la direcci\u00f3n de correo electr\u00f3nico de un usuario, restablezcan la contrase\u00f1a del usuario y obtengan acceso a su cuenta."}], "lastModified": "2025-06-05T17:01:36.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apppresser:apppresser:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "0AFA693B-777E-4CFB-9C92-A1C69CA63D78", "versionEndExcluding": "4.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}