CVE-2021-24500

HIGH

Workreap < 2.2.2 - Insecure Direct Object Reference and CSRF via AJAX Actions

Title source: llm
STIX 2.1

Description

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0c4b5ecc-54d0-45ec-9f92-b2ca3cadbe56

Scores

CVSS v3 8.1
EPSS 0.0065
EPSS Percentile 46.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Details

CWE
CWE-283 CWE-284 CWE-352 CWE-862
Status published
Products (1)
amentotech/workreap < 2.2.2
Published Aug 09, 2021
Tracked Since Feb 18, 2026