Description
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
Published: 2025-03-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to store malicious script code in the ‘title’ field of the AppPresser – Mobile App Framework plugin. Because the value is not sanitized or escaped, the injected script is rendered when a page is accessed, causing cross‑site scripting in the victim’s browser. The vulnerability is a classic CWE‑79 flaw and permits unauthenticated users to create or modify content that will run as the logged‑in user whenever a logged‑in admin or member views the page, compromising confidentiality, integrity, and availability of the web application for those users.

Affected Systems

AppPresser – Mobile App Framework for WordPress – versions 4.4.10 and earlier are affected. The plugin is a WordPress extension and has been identified as vulnerable by the CNA scottopolis for all releases up to 4.4.10.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity vulnerability. The EPSS score is below 1 %, meaning the likelihood of exploitation is currently low. The issue is not listed in CISA’s KEV catalog. Per the CVE description, the attack vector requires unauthenticated access to store a malicious title value in the plugin’s logging configuration, after which any authenticated user who views the affected page will execute the injected script. The vulnerability is therefore exploitable in realistic scenarios where logging is enabled and logged pages are viewed by users.

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AppPresser – Mobile App Framework to version 4.4.11 or later
  • Set logging to disabled or ensure that titles are sanitized before storage
  • Review all user interface elements for proper output escaping to prevent future XSS

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6614 The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00167}

 epss

{'score': 0.00255}

Mon, 26 May 2025 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Apppresser
Apppresser apppresser
CPEs cpe:2.3:a:apppresser:apppresser:*:*:*:*:*:wordpress:*:*
Vendors & Products Apppresser
Apppresser apppresser

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 04:30:00 +0000

Type Values Removed Values Added
Description The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
Title AppPresser – Mobile App Framework <= 4.4.10 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Apppresser Apppresser
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:40.382Z

Reserved: 2025-02-21T16:49:20.221Z

Link: CVE-2025-1561

cve-icon Vulnrichment

Updated: 2025-03-17T21:26:28.609Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-13T05:15:27.890

Modified: 2025-05-26T02:14:52.170

Link: CVE-2025-1561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses