The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.
The plugin does not properly validate user identity before performing two operations: automatic login via social account (social auto-login) and profile data updates, including password changes. An attacker who knows the victim's email address can log into their account without providing a password by using the social auto-login mechanism. Alternatively, an attacker can change the password of any user — including an administrator — without authentication, and then gain full access to the account.
An unauthenticated attacker can take control of any WordPress user account, including administrator accounts, resulting in complete compromise of the website's confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. Version 3.2.5 contains only a partial fix — it is recommended to monitor updates released by Amentotech and apply the fully patched version as soon as it becomes available.
Workreap plugin for WordPress in all versions up to and including 3.2.5. Note: in version 3.2.5, the vulnerability has been fixed only partially.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAmentotech Workreap
APPAmentotech< 3.2.6
Related vulnerabilities
Authentication Bypass w pluginie Workreap dla WordPress (do wersji 3.3.1)
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_fil...
The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable...
The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible ...
The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that...