CVE-2025-4973: 
WordPress vulnerability analysis and mitigation

The Workreap plugin for WordPress (CVE-2025-4973), used by the Workreap - Freelance Marketplace WordPress Theme, contains an authentication bypass vulnerability affecting all versions up to and including 3.3.1. The vulnerability was discovered and disclosed on June 12, 2025. The issue stems from improper user identity verification during the email account verification process (NVD, Wiz).

The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The technical issue arises from the plugin's failure to properly verify a user's identity before logging them in during the account verification process with an email address. The vulnerability is only exploitable if the user's confirmation_key has not already been set by the plugin (NVD, Wiz).

The vulnerability enables unauthenticated attackers to log in as registered users, including administrators, if they know the user's email address. This can lead to complete compromise of affected WordPress sites through unauthorized administrative access. The critical severity rating indicates the potential for significant damage to affected systems (Wiz).

The vulnerability has been patched in version 3.3.2 of the Workreap theme, released on May 23, 2025. Users are strongly advised to update to this version or later to protect their sites from potential exploitation (ThemeForest).