CVE-2025-4973
BaseFortify
Publication date: 2025-06-12
Last updated on: 2025-07-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amentotech | workreap | to 3.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Workreap plugin for WordPress (up to version 3.3.1) and allows an attacker to bypass authentication. The plugin fails to properly verify a user's identity before logging them in when verifying an account with an email address. As a result, an unauthenticated attacker who knows a registered user's email address can log in as that user, including administrators, if the user's confirmation_key has not yet been set.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to gain unauthorized access to user accounts, including administrator accounts. This can lead to full compromise of the WordPress site, allowing attackers to modify content, steal sensitive information, disrupt services, or perform other malicious actions with high privileges.