CVE-2022-1425

CWE-639Insecure Direct Object Reference3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 59.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Wpqa Builder Plugin2code Wpqa Builder
Timeline
PublishedMay 16
Latest updateMay 17

Description

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/wpqa_builder_plugin5.25.2

🔴Vulnerability Details

2
GHSA
GHSA-r5pq-3cxr-5rmc: The WPQA Builder Plugin WordPress plugin before 52022-05-17
CVEList
WPQA < 5.2 - Subscriber+ Private Message Disclosure via IDOR2022-05-16
CVE-2022-1425 (MEDIUM CVSS 4.3) | The WPQA Builder Plugin WordPress p | cvebase.io