CVE-2021-24499

Name of the Vulnerable Software and Affected Versions Workreap WordPress theme versions prior to 2.2.2

Description The issue allows unauthenticated visitors to upload arbitrary files, including executable code like php scripts, to the uploads/workreap-temp directory due to the lack of nonce checks and validation in the workreap award temp file uploader and workreap temp file uploader AJAX actions. The uploaded files are not sanitized or validated.

Recommendations For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the workreap award temp file uploader and workreap temp file uploader functions until a patch is available. Restrict access to the uploads/workreap-temp directory to minimize the risk of exploitation.