Skip to main content

Workscout Core

3 CVEs product

Monthly

CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52716 MEDIUM This Month

Unauthenticated arbitrary file deletion in the WorkScout-Core WordPress plugin (versions <= 1.7.11) allows any remote attacker to delete files on the underlying server without credentials. The flaw stems from a path traversal weakness (CWE-22) in a file-handling endpoint that fails to sanitize user-supplied input before constructing filesystem paths. Exploitation requires no authentication, no user interaction, and no special configuration, meaning every publicly reachable WordPress installation running this plugin version is exposed; no public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Workscout Core
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-24246 MEDIUM POC This Month

The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Workscout Workscout Core
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated arbitrary file deletion in the WorkScout-Core WordPress plugin (versions <= 1.7.11) allows any remote attacker to delete files on the underlying server without credentials. The flaw stems from a path traversal weakness (CWE-22) in a file-handling endpoint that fails to sanitize user-supplied input before constructing filesystem paths. Exploitation requires no authentication, no user interaction, and no special configuration, meaning every publicly reachable WordPress installation running this plugin version is exposed; no public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Workscout Core
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Workscout +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy