CVE-2022-3688 - How A Missing CSRF Check In WPQA Builder Plugin Exposed WordPress Sites To Unwanted Actions

WordPress plugins are a gateway to making websites smarter and user-friendly, but sometimes small oversights in code can open big doors for attackers. CVE-2022-3688 is a classic example of this—a Cross-Site Request Forgery (CSRF) vulnerability in the popular WPQA Builder plugin that could let attackers trick logged-in users into following or unfollowing other users without consent. This issue was resolved in version 5.9, but let’s break down what happened, see how it worked, and why such bugs matter.

What Exactly Is CVE-2022-3688?

CVE-2022-3688 refers to a security bug in WPQA Builder before version 5.9. The plugin lacked proper CSRF (Cross-Site Request Forgery) checks on its “follow” and “unfollow” user actions. This meant that attackers could craft sneaky links or forms that, when visited by a logged-in WordPress user, would execute these actions without the user’s permission.

Official References

- WPScan Vulnerability Database
- NVD - CVE-2022-3688

How Does A CSRF Attack Look Like? (A Simple Example)

To understand the bug, let’s break down a typical follow/unfollow action in WPQA Builder. When logged in, your site probably lets you follow another user by visiting a link like:

https://your-wordpress-site.com/?wpqa_follow_user=someone

If there’s no CSRF protection, literally anyone could trick you into clicking on a link or even embed a request in a hidden form. For example:

<!-- Malicious CSRF attack example: -->
<html>
  <body>
    <!-- When loaded, this form would auto-submit, causing a follow action -->
    <form action="https://victim-site.com/?wpqa_follow_user=badguy"; method="POST" id="attack-form">
    </form>
    <script>
      document.getElementById('attack-form').submit();
    </script>
  </body>
</html>

If you, as a logged-in user, visited a web page containing such a payload, you would unknowingly follow “badguy”—or unfollow one of your friends—without realizing it.

Why Is This A Problem?

CSRF attacks work best when the target action requires authentication (i.e., you must be logged in). Without CSRF checks, attackers can:

Bypass site controls, leading to further spam or abuse.

The *expected* CSRF protection is usually done through what's called a “nonce” (number used once)—a special token that must be present and verified for sensitive requests. WPQA Builder failed to require or verify a nonce for these actions until version 5.9.

`

Click me!

Logged-In User Clicks The Link (or is silently redirected).

3. User’s browser sends authenticated request—it’s as if the user decided to follow ‘badguy’!

No CSRF token present—site cannot tell it was forged.

Alternatively, the attack can happen via a hidden form that auto-submits (see code above), making it totally invisible to the user.

Vulnerable Code Example (What Went Wrong?)

The main mistake was not requiring or checking a CSRF token (nonce) for the follow/unfollow actions in the plugin. Here’s a simplified example:

// BAD: No nonce check!
if ( isset($_GET['wpqa_follow_user']) ) {
    $user_to_follow = intval($_GET['wpqa_follow_user']);
    $current_user = get_current_user_id();
    // Process follow action with $user_to_follow and $current_user
}

A secure approach looks like this

// GOOD: Nonce check in place!
if ( isset($_GET['wpqa_follow_user']) && isset($_GET['_wpnonce']) ) {
    if ( wp_verify_nonce($_GET['_wpnonce'], 'wpqa_follow_action') ) {
        $user_to_follow = intval($_GET['wpqa_follow_user']);
        $current_user = get_current_user_id();
        // Safe to process follow action
    }
}

This prevents unauthorized (forged) requests from going through.

How To Fix Or Protect Your Site

1. Update Immediately:
If you use WPQA Builder, make sure you’re running *at least* version 5.9. The developer’s changelog addresses this issue.

2. Watch For CSRF In Custom Plugins:
If you’re a developer, always use wp_nonce_field() and check_admin_referer() (or similar) for actions that modify user or site data.

3. Educate Your Team:
Ensure all plugin code that changes anything for a user or site includes CSRF tokens.

Copy an action link (like a “follow” URL).

- Open browser in incognito mode and try the same URL—if it goes through without any warning, you might have a CSRF hole.

Takeaway

CVE-2022-3688 is a textbook example of how missing even simple security checks can lead to real-world abuse. CSRF protection isn’t just a fancy extra—it’s a must for anything that changes state (like following/unfollowing users). Don’t let your site be the next victim of “surprise friendships.”

References

- WordPress Plugin: WPQA Builder
- WPScan CVE-2022-3688 Advisory
- Common WordPress CSRF Protections


*Written exclusively for you. Spread the word—security is everyone’s job!*

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:47:00 UTC