The Workreap WordPress plugin contains a flaw in the workreap_temp_upload_to_media function where file type validation is omitted, allowing anyone with Subscriber-level or higher access to upload any file to the server. The lack of type checking enables attackers to place malicious PHP, scripts, or other executable files in the upload directory, creating a direct path to remote code execution if the server interprets the file or if the attacker can gain file execution rights through other flaws. This vulnerability specifically targets the upload workflow used by the Workreap freelancing marketplace theme and does not affect unauthenticated users. The risk is confined to the affected site and relies on the attacker’s ability to upload and then trigger execution of the file.

Vendors affected are AmentoTech’s Workreap plugin for WordPress, versions up to and including 3.3.2. Administrators and users with Subscriber-level privileges or higher within the WordPress backend can exploit the flaw. All instances using the Workreap theme version 3.3.3 and later are not vulnerable, but any site still using 3.3.2 or earlier remains at risk.

The CVSS v3.1 score of 8.8 classifies this as High, reflecting high impact and a medium to high exploitation probability. An EPSS score of 1% indicates that, while exploitation is not rare, it is somewhat likely; the flaw is not currently listed in the CISA KEV catalog. The attack path requires authenticated access via WordPress, but once the file is uploaded the attacker can trigger execution by accessing the file directly or through a vulnerable script that reads uploaded content. Defensive records must monitor for unexpected files in the uploads directory and confirm that file permissions prevent execution.