CVE-2022-1425 Information

Description

The WPQA Builder Plugin WordPress plugin before 5.2 used as a companion plugin for the Discy and Himer does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://wpscan.com/vulnerability/b110e2f7-4aa3-47b5-a8f2-0a7fe53cc467

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3