CVE-2022-3688
WPQA < 5.9 - Follow/Unfollow via CSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The WPQA Builder WordPress plugin before 5.9 does not have CSRF check when following and unfollowing users, which could allow attackers to make logged in users perform such actions via CSRF attacks
El complemento de WordPress WPQA Builder anterior a 5.9 no tiene verificación CSRF al seguir y dejar de seguir a los usuarios, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen tales acciones a través de ataques CSRF.
The WPQA plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, but not including, 5.9. This is due to missing or incorrect nonce validation on some of its functions. This makes it possible for unauthenticated attackers to invoke these functions leading users to follow or unfollow others, via forged request granted they can trick a site user into performing an action such as clicking on a link.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-10-25 CVE Published
- 2022-10-26 CVE Reserved
- 2024-06-13 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/03b2c6e6-b86e-4143-a84a-7a99060c4848 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| 2code Search vendor "2code" | Wpqa Builder Search vendor "2code" for product "Wpqa Builder" | < 5.9 Search vendor "2code" for product "Wpqa Builder" and version " < 5.9" | wordpress |
Affected
| ||||||