CVE-2025-1561
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious JavaScript into WordPress pages using the AppPresser plugin when logging is enabled. The injected scripts execute whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using AppPresser plugin versions up to 4.4.10 are affected.
💻 Affected Systems
- AppPresser – Mobile App Framework plugin for WordPress
📦 What is this software?
Apppresser by Apppresser
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, take over the WordPress site, install backdoors, and compromise user data including personal information and payment details.
Likely Case
Attackers inject malicious scripts that steal session cookies, redirect users to phishing sites, or display unwanted advertisements.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented and no script injection occurs.
🎯 Exploit Status
Exploitation requires logging to be enabled and involves injecting scripts via the 'title' parameter
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.11
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AppPresser plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.4.11 from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable AppPresser Logging
allTemporarily disable logging functionality in AppPresser plugin settings to prevent exploitation
Disable AppPresser Plugin
WordPress CLITemporarily deactivate the AppPresser plugin until patched
wp plugin deactivate apppresser
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Add Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → AppPresser version. If version is 4.4.10 or lower, you are vulnerable.Check Version:
wp plugin get apppresser --field=versionVerify Fix Applied:
After updating, verify AppPresser plugin version shows 4.4.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to AppPresser endpoints with script tags in 'title' parameter
- JavaScript execution in unexpected contexts
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected script loads in page responses
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "apppresser") AND (http_method="POST" AND request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/apppresser/tags/4.4.10/templates/template.php#L32
- https://plugins.trac.wordpress.org/changeset/3254632/apppresser/tags/4.4.11/inc/AppPresser_Log_Admin.php?old=3219464&old_path=apppresser%2Ftags%2F4.4.10%2Finc%2FAppPresser_Log_Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/77328e35-b6e6-40eb-8c85-896d54419aef?source=cve
