63 matches found
CVE-2022-1425 WPQA < 5.2 - Subscriber+ Private Message Disclosure via IDOR
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the messageid of the wpqamessageview ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Dire...
CVE-2022-1349 WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the imageid parameter of the ajax action wpqaremoveimage belongs to the requesting user, allowing any users with privileges as low as Subscriber to...
CVE-2022-1051
The CVE-2022-1051 issue affects the WPQA Builder plugin for WordPress (versions before 5.2), used as a companion plugin for the Discy and Himer themes. The vulnerability stems from insufficient sanitization/escaping of city, phone, or profile credential fields when rendering the profile page, ena...