CVE-2022-3846

CWE-639Insecure Direct Object Reference4 documents4 sources
Severity
7.5HIGH
EPSS
0.5%
top 32.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown WorkreapAmentotech Workreap
Timeline
PublishedDec 5
Latest updateMay 1

Description

The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/workreap< 2.6.3
NVDamentotech/workreap< 2.6.3

🔴Vulnerability Details

2
CVEList
Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR2022-12-05
GHSA
GHSA-84hm-49qm-gq32: The Workreap WordPress theme before 22022-12-05

📋Vendor Advisories

1
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-38412024-05-01
CVE-2022-3846 (HIGH CVSS 7.5) | The Workreap WordPress theme before | cvebase.io