CVE-2024-13446

Name of the Vulnerable Software and Affected Versions: Workreap plugin for WordPress versions up to, and including, 3.2.5

Description: The issue is due to the plugin not properly validating a user's identity prior to performing a social auto-login or updating their profile details, such as the password. This makes it possible for unauthenticated attackers to login as an arbitrary user if their email address is known or change an arbitrary user's password, including administrators, and leverage that to gain access to their account.

Recommendations: For versions up to, and including, 3.2.5, consider disabling the social auto-login feature and restricting profile detail updates until a patch is available. As a temporary workaround, restrict access to the profile update functionality to minimize the risk of exploitation. Avoid using the password update feature in the affected plugin until the issue is resolved. Note: The vulnerability was partially fixed in version 3.2.5, however, no information is provided about a newer version that fully contains a fix for this issue.