CVE-2024-4611

Name of the Vulnerable Software and Affected Versions AppPresser plugin for WordPress versions up to, and including, 4.3.2

Description The issue arises from improper missing encryption exception handling on the decrypt value and doCookieAuth functions. This allows unauthenticated attackers to log in as any existing user, including administrators, if they previously used the login via the plugin API. The exploitation of this issue is conditional on the 'openssl' php extension not being loaded on the server.

Recommendations For versions up to, and including, 4.3.2, update to a version that includes a fix for the improper missing encryption exception handling in the decrypt value and doCookieAuth functions. As a temporary workaround, consider disabling the decrypt value and doCookieAuth functions until a patch is available. Ensure the 'openssl' php extension is loaded on the server to prevent exploitation.