Wpqa Builder Security Vulnerabilities and Issues — Wpqa Builder CVE List

2codeWpqa Builder

10 matches found

CVE•added 2022/06/06 8:51 a.m.•2196 views

CVE-2022-1598

The CVE-2022-1598 entry concerns the WPQA Builder WordPress plugin (pre-5.5) with an improper access control in a REST API endpoint, enabling unauthenticated users to view private questions/messages between site users. Affected software: WPQA Builder WordPress plugin prior to version 5.5. Root ca...

5.3CVSS5.4AI score0.31571EPSS

CVE•added 2022/06/06 8:51 a.m.•96 views

CVE-2022-1597

The CVE-2022-1597 entry concerns the WordPress WPQA Builder plugin (pre-5.4), used with the Discy/Himer themes. Affected component is the reset-password form parameter, which is not properly sanitized/escaped, enabling Reflected Cross-Site Scripting. The vulnerability allows an attacker to execut...

6.1CVSS6.1AI score0.2353EPSS

CVE•added 2022/05/16 2:30 p.m.•81 views

CVE-2022-1051

The CVE-2022-1051 issue affects the WPQA Builder plugin for WordPress (versions before 5.2), used as a companion plugin for the Discy and Himer themes. The vulnerability stems from insufficient sanitization/escaping of city, phone, or profile credential fields when rendering the profile page, ena...

5.4CVSS5.3AI score0.10291EPSS

CVE•added 2022/05/16 2:31 p.m.•74 views

CVE-2022-1425

The CVE concerns the WPQA Builder Plugin for WordPress (pre-5.2), used with the Discy and Himer plugins. The vulnerability arises because the wpqa_message_view AJAX action does not validate that the message_id belongs to the requesting user, enabling an IDOR disclosure where any authenticated use...

4.3CVSS4.5AI score0.00186EPSS

CVE•added 2022/05/16 2:30 p.m.•72 views

CVE-2022-1349

The CVE-2022-1349 issue affects the WordPress WPQA Builder Plugin (prior to v5.2). The underlying flaw is that the image_id parameter in the wpqa_remove_image AJAX action is not validated against the requesting user, enabling an attacker with privileges as low as Subscriber to delete other users’...

4.3CVSS4.6AI score0.00204EPSS

CVE•added 2024/07/03 6:0 a.m.•71 views

CVE-2024-2376

The CVE-2024-2376 issue affects the WordPress WPQA Builder plugin prior to version 6.1.1, where CSRF checks are missing in some areas. This allows authenticated attackers to trigger actions on behalf of logged-in users (e.g., Arbitrary Category and Tag Follow/Unfollow), as documented by multiple ...

8.8CVSS8.7AI score0.00435EPSS

CVE•added 2023/01/09 10:13 p.m.•58 views

CVE-2022-3343

The CVE-2022-3343 entry concerns the WPQA Builder WordPress plugin (pre-5.9.3) used with Discy/Himer themes. Affected component: wpqa_following_you_ajax action. Root cause: insufficient validation to verify if a user already follows another, enabling exploitation by having another user repeatedly...

3.5CVSS3.8AI score0.003EPSS

Web

CVE•added 2022/11/21 12:0 a.m.•55 views

CVE-2022-3688

CVE-2022-3688 applies to the WPQA Builder WordPress plugin prior to version 5.9, where there is no CSRF check for follow/unfollow actions. The underlying issue permits CSRF attacks to cause logged-in users to perform such actions, with a CVSS 3.1 base score of 8.8 (HIGH) and impact on confidentia...

8.8CVSS8.8AI score0.00319EPSS

CVE•added 2024/07/03 6:0 a.m.•55 views

CVE-2024-2375

The CVE covers the WordPress plugin WPQA Builder (Builder forms Addon) prior to version 6.1.1. The issue arises from insufficient sanitisation/escaping of some Slider settings, enabling Stored XSS when exploited by high-privilege users (e.g., contributors). Affected versions are before 6.1.1; rem...

5.9CVSS5.1AI score0.00093EPSS

CVE•added 2022/08/22 3:0 p.m.•39 views

CVE-2022-2198

CVE-2022-2198 affects the WPQA Builder WordPress plugin prior to 5.7. The issue is an authorization bug: any logged-in user can read another user’s private messages by guessing the message id, due to missing access checks. Impact is disclosure of private messages; the advisory does not quantify b...

4.3CVSS4.5AI score0.00191EPSS