The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Jun 2025 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 12 Jun 2025 05:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin. | |
Title | Workreap <= 3.3.1 - Authentication Bypass via 'workreap_verify_user_account' | |
Weaknesses | CWE-288 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published: 2025-06-12T05:23:39.978Z
Updated: 2025-06-12T13:07:20.510Z
Reserved: 2025-05-20T00:13:58.960Z
Link: CVE-2025-4973

Updated: 2025-06-12T13:07:17.140Z

Status : Awaiting Analysis
Published: 2025-06-12T06:15:23.440
Modified: 2025-06-12T16:06:20.180
Link: CVE-2025-4973

No data.