AppPresser Mobile App Framework Missing Authorization Vulnerability Allowing Data Exposure

A vulnerability exists in the AppPresser Mobile App Framework plugin for WordPress, in all versions through 4.5.0. The issue arises from a lack of proper capability checks in the 'myappp_verify' function, which allows unauthenticated users to access sensitive information. This includes details about installed plugins and themes, such as names and version numbers, which could be exploited to target outdated or vulnerable components.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, specifically plugin and theme details that could be used to exploit known vulnerabilities in those components.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress REST API endpoint '/appp/v1/myappp-verify' without authentication. This can be done using a tool like Postman or through a simple script that makes an unauthenticated HTTP request to the endpoint.

Remediation

Users are advised to update the AppPresser Mobile App Framework plugin to version 4.5.1 or later.