WordPress: Privilege Escalation via Account Takeover in Workreap Plugin

In Workreap plugin for WordPress versions up to and including 3.2.5 a critical severity vulnerability CVE-2024-13446 was detected. This vulnerability allows attackers to escalate privileges through account takeover by exploiting the plugin’s failure to properly validate a user’s identity before performing social auto-login or updating profile details, including password changes, enabling unauthenticated attackers to log in as any user by knowing their email address or change an arbitrary user’s password, including administrators, to gain unauthorized access. To address this issue, users should upgrade Workreap plugin to versions 3.2.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13446.