Unknown Discy vulnerabilities

CVE-2022-3343 [LOW] CWE-639 CVE-2022-3343: The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Hime The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.

CVE-2022-1323 [MEDIUM] CWE-862 CVE-2022-1323: The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.

CVE-2022-1422 [MEDIUM] CWE-352 CVE-2022-1422: The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_o The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.

CVE-2022-1421 [MEDIUM] CWE-352 CVE-2022-1421: The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack