CVE-2025-5012

CWE-434Unrestricted File Upload3 documents3 sources
Severity
8.8HIGH
EPSS
1.4%
top 19.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Amentotech Workreap
Timeline
PublishedJun 12

Description

The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_upload_to_media' function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDamentotech/workreap< 3.3.3
CVEListV5amentotech/workreap3.3.2

🔴Vulnerability Details

2
GHSA
GHSA-qw6x-3c35-7g85: The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missin2025-06-12
CVEList
Workreap <= 3.3.2 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media'2025-06-12
CVE-2025-5012 (HIGH CVSS 8.8) | The Workreap plugin for WordPress | cvebase.io