WPQA < 5.2 - Subscriber+ Private Message Disclosure via IDOR
The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <valid cookie of any user>