VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Jun 12, 2024

WPQA - Builder forms Addon For WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin WPQA - Builder forms Addon For WordPress (`wpqa`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-2375, CVE-2024-2376 and CVE-2022-3688, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
1
Patch Coverage
100%
Last Updated
Jul 23, 2024
Priority CVE Quick Links

Fast paths into WPQA - Builder forms Addon For WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
9
CVE-2022-3688 High 5.9
CVE-2022-3688 WPQA - Builder forms Addon For WordPress Cross-Site Request Forgery

WPQA < 5.9 - Cross-Site Request Forgery

CVE-2022-2198 Medium 5.7
CVE-2022-2198 WPQA - Builder forms Addon For WordPress Authorization Bypass

WPQA - Builder forms Addon For WordPress < 5.7 - Information Disclosure

CVE-2024-2375 Medium 6.1.1
CVE-2024-2375 WPQA - Builder forms Addon For WordPress Stored Cross-Site Scripting

WPQA - Builder forms Addon For WordPress plugin <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2022-1349 Medium 5.2
CVE-2022-1349 WPQA - Builder forms Addon For WordPress Authorization Bypass

WPQA - Builder forms Addon For WordPress < 5.2 - Insecure Direct Object Reference to Profile Picture Deletion

CVE-2022-1597 Medium 5.4
CVE-2022-1597 WPQA - Builder forms Addon For WordPress Cross-Site Scripting

WPQA - Builder forms Addon For WordPress <= 5.3 - Reflected Cross-Site Scripting

CVE-2022-1051 Medium 5.2
CVE-2022-1051 WPQA - Builder forms Addon For WordPress Stored Cross-Site Scripting

WPQA - Builder forms Addon For WordPress < 5.2 - Stored Cross-Site Scripting via Profile fields

CVE-2022-1598 Medium 5.5
CVE-2022-1598 WPQA - Builder forms Addon For WordPress Vulnerability

WPQA - Builder forms Addon For WordPress <= 5.4 - Unauthenticated Private Message Disclosure

CVE-2022-1425 Medium 5.2
CVE-2022-1425 WPQA - Builder forms Addon For WordPress Authorization Bypass

WPQA - Builder forms Addon For WordPress < 5.2 - Insecure Direct Object Reference to Private Message Disclosure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WPQA - Builder forms Addon For WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2024-2375, CVE-2024-2376 and CVE-2022-3688
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WPQA - Builder forms Addon For WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-2375
CVE-2024-2375: WPQA - Builder forms Addon For WordPress plugin <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WPQA - Builder forms Addon For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via slider settings in all versions up to, and including, 6.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Published
Jun 12, 2024
Patched Release
6.1.1
Affected Versions
Versions up to 6.1.0
Next Step
Update to 6.1.1 or newer if supported.
Open CVE-2024-2375 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2376
CVE-2024-2376: WPQA Builder <= 6.1.0 - Cross-Site Request Forgery

The WPQA Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.0. This is due to missing or incorrect nonce validation on several AJAX actions. This makes it possible for unauthenticated attackers to perform unauthorize...

Published
Jun 12, 2024
Patched Release
6.1.1
Affected Versions
Versions up to 6.1.0
Next Step
Update to 6.1.1 or newer if supported.
Open CVE-2024-2376 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-3688
CVE-2022-3688: WPQA < 5.9 - Cross-Site Request Forgery

The WPQA plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, but not including, 5.9. This is due to missing or incorrect nonce validation on some of its functions. This makes it possible for unauthenticated attackers to invoke these functions leadi...

Published
Oct 25, 2022
Patched Release
5.9
Affected Versions
Versions before 5.9
Next Step
Update to 5.9 or newer if supported.
Open CVE-2022-3688 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-2198
CVE-2022-2198: WPQA - Builder forms Addon For WordPress < 5.7 - Information Disclosure

The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forc...

Published
Aug 01, 2022
Patched Release
5.7
Affected Versions
Versions before 5.7
Next Step
Update to 5.7 or newer if supported.
Open CVE-2022-2198 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1597
CVE-2022-1597: WPQA - Builder forms Addon For WordPress <= 5.3 - Reflected Cross-Site Scripting

The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks

Published
May 10, 2022
Patched Release
5.4
Affected Versions
Versions before 5.4
Next Step
Update to 5.4 or newer if supported.
Open CVE-2022-1597 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1598
CVE-2022-1598: WPQA - Builder forms Addon For WordPress <= 5.4 - Unauthenticated Private Message Disclosure

The WPQA Builder WordPress plugin before 5.4 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.

Published
May 10, 2022
Patched Release
5.5
Affected Versions
Versions up to 5.4
Next Step
Update to 5.5 or newer if supported.
Open CVE-2022-1598 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1051
CVE-2022-1051: WPQA - Builder forms Addon For WordPress < 5.2 - Stored Cross-Site Scripting via Profile fields

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scrip...

Published
Apr 21, 2022
Patched Release
5.2
Affected Versions
Versions before 5.2
Next Step
Update to 5.2 or newer if supported.
Open CVE-2022-1051 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1349
CVE-2022-1349: WPQA - Builder forms Addon For WordPress < 5.2 - Insecure Direct Object Reference to Profile Picture Deletion

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as...

Published
Apr 21, 2022
Patched Release
5.2
Affected Versions
Versions before 5.2
Next Step
Update to 5.2 or newer if supported.
Open CVE-2022-1349 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1425
CVE-2022-1425: WPQA - Builder forms Addon For WordPress < 5.2 - Insecure Direct Object Reference to Private Message Disclosure

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users...

Published
Apr 21, 2022
Patched Release
5.2
Affected Versions
Versions before 5.2
Next Step
Update to 5.2 or newer if supported.
Open CVE-2022-1425 Report Open CVE Reference