How to fix CVE-2025-4973?

Within 24 hours: Identify all WordPress installations using Workreap plugin versions up to 3.3.1 and determine if any accounts have unset confirmation_keys. Disable the account verification email feature if not critical to operations. Within 7 days: Implement WAF rules to block suspicious authentication requests, isolate affected environments, and establish monitoring for unauthorized login attempts. Contact Workreap developers for patch timeline. Within 30 days: Either apply a vendor patch when released, migrate to an alternative plugin, or decommission the affected WordPress installation if business criticality is low.

Is PHP affected by CVE-2025-4973?

A critical authentication bypass vulnerability in the Workreap WordPress plugin allows attackers to impersonate any registered user, including administrators, using only an email address.

CVE-2025-4973

EUVD-2025-18159 CRITICAL

2025-06-12 [email protected]

WordPress Authentication Bypass PHP Workreap

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18159

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

CVE Published

Jun 12, 2025 - 06:15 nvd

CRITICAL 9.8

DescriptionNVD

The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin.

AnalysisAI

A authentication bypass vulnerability in all (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Technical ContextAI

Vulnerability type: authentication bypass. CVSS 9.8 indicates critical severity with likely remote exploitation vector. Affects all.

RemediationAI

Monitor vendor channels for patch availability. Restrict network access to affected components and enable MFA as interim mitigation.

CVE-2025-4973 vulnerability details – vuln.today

Back

CVE-2025-4973

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code