CVE-2022-1349

CWE-287Improper Authentication3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 57.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Wpqa Builder Plugin2code Wpqa Builder
Timeline
PublishedMay 16
Latest updateMay 17

Description

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/wpqa_builder_plugin5.25.2

🔴Vulnerability Details

2
GHSA
GHSA-mfhm-pr46-c4c3: The WPQA Builder Plugin WordPress plugin before 52022-05-17
CVEList
WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR2022-05-16
CVE-2022-1349 (MEDIUM CVSS 4.3) | The WPQA Builder Plugin WordPress p | cvebase.io