9.8
CVE-2024-13446
- EPSS 0.24%
- Veröffentlicht 12.03.2025 09:22:25
- Zuletzt bearbeitet 02.04.2025 12:39:50
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Workreap <= 3.2.5 - Unauthenticated Privilege Escalation via Account Takeover
The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.
Mögliche Gegenmaßnahme
Workreap: Update to version 3.2.6, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Workreap
Version
* - 3.2.5
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Amentotech ≫ Workreap SwPlatformwordpress Version < 3.2.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.474 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.