CVE-2024-13446
Published: 12 March 2025
Summary
CVE-2024-13446 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Amentotech Workreap. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 39.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly authorizes and limits actions permitted without identification or authentication, preventing unauthenticated social auto-login and profile updates that enable account takeover.
Requires verification of user identity prior to changing authenticators like passwords, directly mitigating unauthorized profile detail updates including administrator passwords.
Enforces validation of user identity inputs before processing sensitive operations like social auto-login or profile changes, countering the plugin's failure to validate identities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing WordPress plugin directly enables remote unauthenticated exploitation for privilege escalation to admin accounts via password changes or social login.
NVD Description
The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login…
more
or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.
Deeper analysisAI
CVE-2024-13446 is a privilege escalation vulnerability affecting the Workreap plugin for WordPress in all versions up to and including 3.2.5. The issue stems from the plugin failing to properly validate a user's identity before processing social auto-login actions or updating profile details, such as passwords. This flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and assigned a CVSS v3.1 base score of 9.8 (Critical), enables account takeover without authentication.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. If an attacker's email address is known, they can log in as that arbitrary user via the flawed social auto-login. Alternatively, they can update any user's profile to change their password, including administrator accounts, and then gain full access to the compromised account.
The vulnerability was partially fixed in version 3.2.5 of the Workreap plugin, though security practitioners should verify full remediation and consider disabling the plugin or restricting its features until confirmed patched. Detailed advisories are available from Wordfence, and the plugin is distributed via ThemeForest.
Details
- CWE(s)