CVE-2022-1349: 
WordPress vulnerability analysis and mitigation

The WPQA Builder Plugin for WordPress, prior to version 5.2, contains a security vulnerability identified as CVE-2022-1349. This vulnerability was discovered in a companion plugin used for the Discy and Himer themes. The issue was publicly disclosed on April 21, 2022, and affects the plugin's profile picture management functionality (WPScan).

The vulnerability stems from improper authentication validation in the ajax action 'wpqaremoveimage'. Specifically, the plugin fails to verify if the image_id parameter value belongs to the requesting user. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-287 (Improper Authentication) (NVD).

When exploited, this vulnerability allows users with privileges as low as Subscriber to delete profile pictures of any other user on the system. This represents a breach of user privacy and system integrity, potentially affecting all users who have uploaded profile pictures on the affected WordPress installation (WPScan).

The vulnerability has been patched in WPQA Builder Plugin version 5.2. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).