CVE-2022-2198

CWE-639Insecure Direct Object Reference3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 58.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Wpqa Builder2code Wpqa Builder
Timeline
PublishedAug 22
Latest updateAug 23

Description

The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/wpqa_builder5.75.7

🔴Vulnerability Details

2
GHSA
GHSA-g3r5-hp64-fq8f: The WPQA Builder WordPress plugin before 52022-08-23
CVEList
WPQA < 5.7 - Subscriber+ Private Message Disclosure via IDOR2022-08-22
CVE-2022-2198 (MEDIUM CVSS 4.3) | The WPQA Builder WordPress plugin b | cvebase.io