CVE-2024-13446
Published: 12 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13446 is a privilege escalation vulnerability affecting the Workreap plugin for WordPress in all versions up to and including 3.2.5. The issue stems from the plugin failing to properly validate a user's identity before processing social auto-login actions or updating profile details, such as passwords. This flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and assigned a CVSS v3.1 base score of 9.8 (Critical), enables account takeover without authentication.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. If an attacker's email address is known, they can log in as that arbitrary user via the flawed social auto-login. Alternatively, they can update any user's profile to change their password, including administrator accounts, and then gain full access to the compromised account.
The vulnerability was partially fixed in version 3.2.5 of the Workreap plugin, though security practitioners should verify full remediation and consider disabling the plugin or restricting its features until confirmed patched. Detailed advisories are available from Wordfence, and the plugin is distributed via ThemeForest.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass in public-facing WordPress plugin directly enables remote unauthenticated exploitation for privilege escalation to admin accounts via password changes or social login.