CVE-2022-1349
MEDIUMWPQA Builder Plugin < 5.2 - Unauthenticated Arbitrary Profile Picture Deletion via image_id Parameter
Title source: llmDescription
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/7ee95a53-5fe9-404c-a77a-d1218265e4aa
Scores
CVSS v3
4.3
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-287
Status
published
Products (1)
2code/wpqa_builder
< 5.2
Published
May 16, 2022
Tracked Since
Feb 18, 2026