CVE-2021-24500
HIGHWorkreap < 2.2.2 - Insecure Direct Object Reference and CSRF via AJAX Actions
Title source: llmDescription
Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0c4b5ecc-54d0-45ec-9f92-b2ca3cadbe56
Scores
CVSS v3
8.1
EPSS
0.0065
EPSS Percentile
46.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-283
CWE-284
CWE-352
CWE-862
Status
published
Products (1)
amentotech/workreap
< 2.2.2
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026