
CVE-2024-2375 – WPQA < 6.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-2375
12 Jun 2024 — The WPQA Builder WordPress plugin before 6.1.1 does not sanitise and escape some of its Slider settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks El complemento WPQA Builder WordPress anterior a 6.1.1 no sanitiza ni escapa a algunas de sus configuraciones del control deslizante, lo que podría permitir a usuarios con altos privilegios, como los contribuyentes, realizar ataques de Cross-Site Scripting Almacenado. The WPQA - Builder forms Addon F... • https://wpscan.com/vulnerability/3d144e1c-a1f4-4c5a-93e2-4296a96d4ba2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2024-2376 – WPQA < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF
https://notcve.org/view.php?id=CVE-2024-2376
12 Jun 2024 — The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento WPQA Builder WordPress anterior a 6.1.1 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The WPQA Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery i... • https://wpscan.com/vulnerability/bdd2e323-d589-4050-bc27-5edd2507a818 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2022-3343 – WPQA < 5.9.3 - Missing validation lead to functionality abuse
https://notcve.org/view.php?id=CVE-2022-3343
13 Dec 2022 — The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. El complemento WPQA Builder de WordPress anterior a 5.9.3 (que es un complemento complementario utilizado con los temas de WordPress de Discy y Himer Discy) intenta vali... • https://wpscan.com/vulnerability/e507b1b5-1a56-4b2f-b7e7-e22f6da1e32a • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2022-3688 – WPQA < 5.9 - Follow/Unfollow via CSRF
https://notcve.org/view.php?id=CVE-2022-3688
25 Oct 2022 — The WPQA Builder WordPress plugin before 5.9 does not have CSRF check when following and unfollowing users, which could allow attackers to make logged in users perform such actions via CSRF attacks El complemento de WordPress WPQA Builder anterior a 5.9 no tiene verificación CSRF al seguir y dejar de seguir a los usuarios, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen tales acciones a través de ataques CSRF. The WPQA plugin for WordPress is vulnerable to Cros... • https://wpscan.com/vulnerability/03b2c6e6-b86e-4143-a84a-7a99060c4848 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2022-2198 – WPQA < 5.7 - Subscriber+ Private Message Disclosure via IDOR
https://notcve.org/view.php?id=CVE-2022-2198
01 Aug 2022 — The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced. El plugin WPQA Builder de WordPress versiones anteriores a 5.7, que es un plugin complementario de Hilmer y Discy, no comprueba la autorización antes de mostrar los mensajes privados, lo que permite a cualquier usuario conectado... • https://wpscan.com/vulnerability/867248f2-d497-4ea8-b3f8-0f2e8aaaa2bd • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2022-1598 – WPQA < 5.5 - Unauthenticated Private Message Disclosure
https://notcve.org/view.php?id=CVE-2022-1598
10 May 2022 — The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site. El plugin WPQA Builder de WordPress versiones anteriores a 5.4, que es un compañero de Discy y Himer , carece de autenticación en un endpoint de la API REST, lo que permite a usuarios no autenticados descubrir preguntas privadas enviadas entre usuarios en el sitio The WPQA Builder W... • https://github.com/V35HR4J/CVE-2022-1598 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •

CVE-2022-1597 – WPQA < 5.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1597
10 May 2022 — The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks El plugin WPQA Builder para WordPress versiones anteriores a 5.4, usado como compañero de Discy e Himer , no sanea y escapa de un parámetro en su formulario de restablecimiento de contraseña, lo que hace posible llevar a cabo ataques de tipo Cross-Site Scripting Reflejado • https://github.com/V35HR4J/CVE-2022-1597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2022-1349 – WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR
https://notcve.org/view.php?id=CVE-2022-1349
21 Apr 2022 — The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user. El plugin WPQA Builder de WordPress versiones anteriores a 5.2, usado como plugin complementario para el Discy y el Himer , no comprueba que el valor pasado al par... • https://wpscan.com/vulnerability/7ee95a53-5fe9-404c-a77a-d1218265e4aa • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2022-1051 – WPQA < 5.2 - Subscriber+ Stored Cross-Site Scripting via Profile fields
https://notcve.org/view.php?id=CVE-2022-1051
21 Apr 2022 — The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks. El plugin WPQA Builder Plugin de WordPress versiones anteriores a 5.2, usado como plugin complementario de Discy y Himer , no sanea ni escapa de los campos de credenciales city, phone or profile cuando los muestra en l... • https://github.com/V35HR4J/CVE-2022-1051 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2022-1425 – WPQA < 5.2 - Subscriber+ Private Message Disclosure via IDOR
https://notcve.org/view.php?id=CVE-2022-1425
21 Apr 2022 — The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability. El plugin WPQA Builder de WordPress versiones anteriores a 5.2, usado como plugin complementario de Discy y Himer , no comprueba que el message_id de la acción ajax wpqa_... • https://wpscan.com/vulnerability/b110e2f7-4aa3-47b5-a8f2-0a7fe53cc467 • CWE-639: Authorization Bypass Through User-Controlled Key •