CVE-2022-1349

CVE-2022-1349: WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR

Vendor Unknown
Product WPQA Builder Plugin
Weakness CWE-287 · Improper authentication
Published May 16, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

Key dates

02Disclosure timeline

May 16, 2022 CVE published
August 3, 2024 Record updated