CVE-2022-1598

MEDIUM NUCLEI

WPQA Builder < 5.4 - Unauthenticated Private Question Disclosure via REST API Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-1598. PoCs published by V35HR4J. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository describes an unauthenticated information disclosure vulnerability in the WPQA plugin and related themes, where unauthenticated users can access private messages via REST API endpoints. The PoC involves visiting specific endpoints to retrieve private questions.

Description

The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.

Exploits (1)

nomisec WRITEUP 1 stars
by V35HR4J · poc
https://github.com/V35HR4J/CVE-2022-1598

The repository describes an unauthenticated information disclosure vulnerability in the WPQA plugin and related themes, where unauthenticated users can access private messages via REST API endpoints. The PoC involves visiting specific endpoints to retrieve private questions.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WPQA < 5.5, DISCY theme, HIMER theme
No auth needed
Prerequisites: Access to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress WPQA <5.5 - Improper Access Control
MEDIUMVERIFIEDby veshraj

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/0416ae2f-5670-4080-a88d-3484bb19d8c8

Scores

CVSS v3 5.3
EPSS 0.0559
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-306
Status published
Products (1)
2code/wpqa_builder < 5.4
Published Jun 08, 2022
Tracked Since Feb 18, 2026