Primary

Context

Workreap WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability allowing authentication bypass has been identified in the Workreap plugin for WordPress, specifically in versions through 3.3.1. This issue arises because the plugin fails to properly verify a user's identity before logging them in during the account verification process via email. As a result, unauthenticated attackers can log in as registered users, including administrators, if they know the user's email address. This vulnerability is exploitable only if the user's confirmation_key has not been set by the plugin.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to log in as registered users, including administrators.

Remediation

Users can update to version 3.3.2 or a newer patched version to address this vulnerability.

Added: Jun 12, 2025, 6:18 AM

Updated: Jun 12, 2025, 6:18 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

6.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

6.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Workreap WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

AmentoTech Workreap

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating