Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6.
Published: 2026-01-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an SQL injection that permits an attacker to execute arbitrary SQL statements against the database. It results from improper neutralization of special elements in an SQL command, allowing a malicious user to gain full confidentiality, integrity and availability compromise of the exposed data. The likely attack vector is a web request that supplies crafted input to a vulnerable parameter; this inference is made because the description does not specify the exact endpoint but mentions a plugin‑level flaw.

Affected Systems

The flaw affects WordPress sites that use the AmentoTech Workreap plugin, versions from the first release up to and including 3.3.6. Any site deploying this plugin within that version range is susceptible.

Risk and Exploitability

The CVSS score of 8.5 marks the issue as high severity. The EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and no authentication requirements are disclosed in the description, implying the potential for unauthenticated exploitation.

Generated by OpenCVE AI on May 1, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Workreap plugin to the latest available version beyond 3.3.6, which resolves the SQL injection flaw.
  • If an upgrade is not feasible, deactivate or remove the Workreap plugin to eliminate the vulnerability surface.
  • Deploy a web application firewall or implement input filtering rules to detect and block malicious SQL query patterns, mitigating potential attacks until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Amentotech
Amentotech workreap
Wordpress
Wordpress wordpress
Vendors & Products Amentotech
Amentotech workreap
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6.
Title WordPress Workreap (theme's plugin) plugin <= 3.3.6 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Amentotech Workreap
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:05.683Z

Reserved: 2025-01-07T21:04:12.249Z

Link: CVE-2025-22728

cve-icon Vulnrichment

Updated: 2026-01-08T14:58:18.609Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:48.390

Modified: 2026-04-27T19:16:12.507

Link: CVE-2025-22728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses