Description
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.
Published: 2025-10-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The AppPresser – Mobile App Framework plugin for WordPress contains a missing capability check in the 'myappp_verify' function. This flaw lets unauthenticated callers retrieve sensitive data such as plugin and theme names and their respective version numbers. The exposure is limited to informational data that could help an attacker target older or vulnerable components, but it does not provide direct control or code execution.

Affected Systems

The vulnerability affects all installations of the AppPresser – Mobile App Framework plugin up to and including version 4.5.0. The plugin is distributed by scottopolis and is commonly used on WordPress sites that rely on its mobile app framework capabilities.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity. The EPSS score is reported as < 1%, indicating a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the missing authorization by sending unauthenticated HTTP requests to the plugin's REST API endpoint that triggers the 'myappp_verify' routine, thereby obtaining the exposed information. No privileged context or additional credentials are required for exploitation.

Generated by OpenCVE AI on April 22, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AppPresser plugin to 4.5.1 or later to include the missing capability check.
  • Verify that the function 'myappp_verify' now enforces a capability requirement before returning data.
  • If the upgrade cannot be applied immediately, restrict access to the AppPresser REST API endpoints by requiring authentication or by using a firewall rule to block unauthenticated requests.

Generated by OpenCVE AI on April 22, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apppresser
Apppresser apppresser
Wordpress
Wordpress wordpress
Vendors & Products Apppresser
Apppresser apppresser
Wordpress
Wordpress wordpress

Thu, 30 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.
Title AppPresser – Mobile App Framework <= 4.5.0 - Missing Authorization to Unauthenticated Limited Sensitive Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Apppresser Apppresser
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:09.611Z

Reserved: 2025-10-16T17:44:03.693Z

Link: CVE-2025-11881

cve-icon Vulnrichment

Updated: 2025-10-30T14:11:31.734Z

cve-icon NVD

Status : Deferred

Published: 2025-10-30T07:15:32.520

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses