CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2232 – Himer - Social Questions and Answers < 2.1.3 - CSRF While Sending the Invites
https://notcve.org/view.php?id=CVE-2024-2232
The lacks CSRF checks allowing a user to invite any user to any group (including private groups) The Himer theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the wpqa_add_group_user AJAX action. This makes it possible for unauthenticated attackers to send user invites to private groups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/a2df28d3-bf03-4fd3-b231-86e062739899 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2231 – Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
https://notcve.org/view.php?id=CVE-2024-2231
The allows any authenticated user to join a private group due to a missing authorization check on a function Permite que cualquier usuario autenticado se una a un grupo privado debido a que falta una verificación de autorización en una función. The Himer theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the wpqa_accept_invite AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to join private groups. • https://wpscan.com/vulnerability/119d2d93-3b71-4ce9-b385-4e6f57b162cb • CWE-639: Authorization Bypass Through User-Controlled Key •