The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/867248f2-d497-4ea8-b3f8-0f2e8aaaa2bd | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2022-08-22T15:00:17
Updated: 2022-08-22T15:00:17
Reserved: 2022-06-24T00:00:00
Link: CVE-2022-2198
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-08-22T15:15:14.337
Modified: 2022-08-25T02:43:30.067
Link: CVE-2022-2198
JSON object: View
Redhat Information
No data.
CWE