WordPress WPQA plugin < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF vulnerability

Arbitrary Category and Tag Follow/Unfollow via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin WPQA - Builder forms Addon versions 6.1.1...

the unfollow contract does random unfollow process of random follow token.

Lines of code Vulnerability details Impact in the FollowNft.sol we have to unfollow function this function is supposed to do unfollow process but as you see the followTokenId variable just returns one random follow id with profile id through mapping and there is no option to select which follow n...

Cannot unfollow a profile without having access to the Follow NFT

Lines of code Vulnerability details Impact In scenarios where a user fails to unfollow a profile before selling his follow NFT, he could forever be unable to unfollow the profile. Proof of Concept A user could sell his follow NFT without unfollowing a profile. If the new owner of the follow NFT...

Users cannot unfollow if they do not own the FollowNFT of the followTokenId used for their profile

Lines of code Vulnerability details Bug Description If the followTokenId of a profile is wrapped, users will only be able to unfollow if they are either: 1. The owner of the follow NFT. 2. An approved operator of the follow NFT's owner. This can be seen in the unfollow function of FollowNFT.sol:...

Users can unfollow through FollowNFT contract when LensHub is paused by governance

Lines of code Vulnerability details Bug Description When the LensHub contract has been paused by governance state set to ProtocolState.Paused, users should not be able unfollow profiles. This can be inferred as the unfollow function has the whenNotPaused modifier: LensHub.solL368-L371 function...

wrap after unfollow is enabled

Lines of code Vulnerability details Impact wrap after unfollownft is enabled , cause many problems Proof of Concept by design, wrap after unfollowed is not allowed,but it seems that it's possible due to lack of limitation. poc below: add below script in FollowNFTTest.t.sol //forge test --match-te...

CVE-2023-29218

The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service reduction of reputation score by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited...

CVE-2022-3688

The WPQA Builder WordPress plugin before 5.9 does not have CSRF check when following and unfollowing users, which could allow attackers to make logged in users perform such actions via CSRF attacks...

PT-2022-23683 · WordPress · Wpqa Builder

Name of the Vulnerable Software and Affected Versions: WPQA Builder WordPress plugin versions prior to 5.9 Description: The issue concerns a lack of CSRF check in the WPQA Builder WordPress plugin, specifically when following and unfollowing users. This could allow attackers to make logged-in use...

CVE-2021-24737

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

Cross site scripting

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

Inshackle - Instagram Hacks: Track Unfollowers, Increase Your Followers, Download Stories, Etc

Instagram hacks: Track unfollowers, Increase your followers, Download Stories, etc Features: Unfollow Tracker Increase Followers Download: Stories, Saved Content, Following/followers list, Profile Info Unfollow all your following Usage: git clone https://github.com/thelinuxchoice/inshackle cd...