3.5

CVE-2022-3343

Exploit

WPQA - Builder forms Addon For WordPress (<= 5.9.2), Himer (<= 1.9.3) and Discy (<= 5.5.3) - Authenticated (Subscriber+) Insecure Direct Object Reference

The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.
Mögliche Gegenmaßnahme
WPQA - Builder forms Addon For WordPress: Update to version 5.9.3, or a newer patched version
Discy - Social Questions and Answers WordPress Theme: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Himer - Social Questions and Answers WordPress Theme: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt WPQA - Builder forms Addon For WordPress
Version * - 5.9.2
SystemWordPress Theme
Produkt Discy - Social Questions and Answers WordPress Theme
Version * - 5.5.3
SystemWordPress Theme
Produkt Himer - Social Questions and Answers WordPress Theme
Version * - 1.9.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
2codeWpqa Builder SwPlatformwordpress Version < 5.9.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.384
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N