CVE-2021-24500

CWE-283 CWE-284 — Improper Access Control CWE-862 — Missing Authorization CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

8.1HIGH

EPSS

0.2%

top 60.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Workreap Amentotech Workreap

Timeline

PublishedAug 9

Latest updateMay 24

Description

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5unknown/workreap2.2.2 — 2.2.2

▶NVDamentotech/workreap< 2.2.2

🔴Vulnerability Details

GHSA

GHSA-x298-h85x-h99q: Several AJAX actions available in the Workreap WordPress theme before 2↗2022-05-24

▶

CVEList

Workreap theme < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities↗2021-08-09

▶