CVE-2024-4611
📋 TL;DR
The AppPresser WordPress plugin has an authentication bypass vulnerability in versions up to 4.3.2. Unauthenticated attackers can log in as any existing user, including administrators, if the server lacks the OpenSSL PHP extension and users previously logged in via the plugin API. This affects all WordPress sites using vulnerable AppPresser plugin versions.
💻 Affected Systems
- AppPresser WordPress Plugin
📦 What is this software?
Apppresser by Apppresser
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with administrative privileges, allowing data theft, defacement, malware injection, and full control over the WordPress installation.
Likely Case
Unauthenticated attackers gain administrative access to compromise the site, install backdoors, steal sensitive data, and potentially pivot to other systems.
If Mitigated
No impact if OpenSSL extension is installed or plugin is patched/disabled.
🎯 Exploit Status
Exploitation requires specific conditions but is straightforward when those conditions are met. Public proof-of-concept exists in vulnerability disclosures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.3 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3093975/apppresser
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AppPresser plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.3.3+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Enable PHP OpenSSL Extension
linuxInstall and enable the OpenSSL PHP extension on your web server to prevent exploitation.
sudo apt-get install php-openssl
sudo systemctl restart apache2 (or nginx/php-fpm)
Disable AppPresser Plugin
allTemporarily disable the AppPresser plugin until patching is possible.
wp plugin deactivate apppresser
🧯 If You Can't Patch
- Ensure PHP OpenSSL extension is installed and enabled on all servers
- Disable or remove the AppPresser plugin entirely
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → AppPresser version. If version is 4.3.2 or lower, you are vulnerable. Also verify PHP OpenSSL extension is not loaded via phpinfo() or 'php -m | grep openssl'.Check Version:
wp plugin get apppresser --field=versionVerify Fix Applied:
Confirm AppPresser plugin version is 4.3.3 or higher in WordPress admin panel and verify PHP OpenSSL extension is installed.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication events from unknown IPs
- Multiple failed login attempts followed by successful admin login
- API authentication requests to AppPresser endpoints
Network Indicators:
- HTTP requests to /wp-json/apppresser/* authentication endpoints from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("apppresser" AND ("decrypt_value" OR "doCookieAuth")) AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40
- https://plugins.trac.wordpress.org/changeset/3093975/apppresser
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L133
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_Theme_Switcher.php?rev=2456516#L167
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_User.php?rev=2789173#L40
- https://plugins.trac.wordpress.org/changeset/3093975/apppresser
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1498fdf-9d5e-4277-92be-469d6646864b?source=cve
