CVE-2024-11024 CRITICAL

CVE-2024-11024: AppPresser – Mobile App Framework <= 4.4.6 - Unauthenticated Privilege Escalation via Password Reset

Vendor Scottopolis
Product AppPresser – Mobile App Framework
Weakness CWE-230
Published November 26, 2024
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. This is due to the plugin not properly validating a user's password reset code prior to updating their password. This makes it possible for unauthenticated attackers, with knowledge of a user's email address, to reset the user's password and gain access to their account.

Explanation of Vulnerability in Simple Terms

02Summary

AppPresser versions 4.4.6 and earlier contain a vulnerability that allows unauthenticated attackers to read sensitive data, modify site content, or disrupt service availability. The flaw requires no special setup or user interaction. All sites running affected versions are at immediate risk and should update as soon as a patch is available.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, or crash the site without logging in.

Potential impact on your site

04Site Impact

Attackers can access private data, alter pages, or take the site offline without any warning.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 26, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE