CVE-2025-4973

Name of the Vulnerable Software and Affected Versions Workreap plugin for WordPress versions up to, and including, 3.3.1

Description The issue arises from the plugin's failure to properly verify a user's identity before logging them in when verifying an account with an email address. This allows unauthenticated attackers to log in as registered users, including administrators, if they know the user's email address. The exploitation is only possible if the user's confirmation key has not already been set by the plugin.

Recommendations For Workreap plugin for WordPress versions up to, and including, 3.3.1, update to a version higher than 3.3.1 to resolve the authentication bypass issue. As a temporary workaround, consider restricting access to the email verification feature until a patch is available. Avoid using the email verification feature with unconfirmed confirmation key values until the issue is resolved.