Workreap theme < 2.2.2 - Missing Authorization Checks in Ajax Actions
CVE-2021-24501

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Workreap
Vendor: CVE Published:; 9 August 2021

Summary

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.

Affected Version(s)

Workreap 2.2.2

References

https://jetpack.com/2021/07/07/multiple-vulnerabilities-i...

x_refsource_MISC

https://wpscan.com/vulnerability/66e4aaf4-5ef7-4da8-a45c-...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 9, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

Harald Eilertsen (Jetpack)