CVE-2022-1598 The WPQA Builder plugin before 5.4 lacked authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users.

CVE-2022-1598 The WPQA Builder plugin before 5.4 lacked authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users.

The WPQA Builder plugin has a REST API for managing questions and answers on your site. If a WPQA Builder question is marked as private, users cannot see that question. This is an issue because users of your site may have questions they want to answer privately with other users. For example, a user may want to ask another user to join a team without having to share the discussion with the entire team. An attacker can exploit this issue by creating an account on your site and sending a private question to that user’s email address. An attacker would then get a notification that a private question was sent to their email address, and can then easily reply to the private question and answer.

Overview of the REST API

The REST API allows developers to add and edit questions and answers on their site. The WPQA Builder plugin uses this API to manage the questions and answers on a site, which means that any developer using the plugin could be vulnerable to this issue.
An attacker would need to send an email from a connected account to get a notification that a private question was sent. This attack is limited by the fact that private questions are visible only if they are open in the WordPress dashboard (not through the REST API). Furthermore, notifications only go out when people view their account’s email address in the WordPress dashboard.

Summary

The REST API is designed to allow you to manage questions and answers on your site. A private question cannot be seen unless it has been shared with the WPQA Builder plugin. If a WPQA Builder question is marked as private, users cannot see that question. This can be an issue if a user has questions they want to answer privately with other users. An attacker can exploit this by creating an account on your site and sending a private question to that user’s email address. An attacker would then get a notification that a private question was sent to their email address, and can easily reply to the private question and answer.
This vulnerability could allow the attacker’s account to be compromised or the attack could cause damage by posting harmful content back into your site without moderation or vetting.

How does WPQA Builder help mitigate this issue?

WPQA Builder has a special option where you can set the default answer for private questions to be "no one is watching this." This means that users who see a private question will not be able to answer it.
In addition to this, WPQA Builder also has an option where if the user does not respond within 24 hours, then the question becomes public and anyone can see it.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe