CVE-2022-1598: 
WordPress vulnerability analysis and mitigation

The WPQA Builder WordPress plugin before version 5.5, a companion plugin for the Discy and Himer themes, contains a security vulnerability identified as CVE-2022-1598. The vulnerability was discovered by Veshraj Ghimire and publicly disclosed on May 16, 2022. The issue stems from a lack of authentication in a REST API endpoint, which affects the plugin's private messaging functionality (WPScan).

The vulnerability is classified as an Access Control issue (CWE-284) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability exists in the REST API endpoint at '/wp-json/wp/v2/asked-question' or '/wp-json/wp/v2/asked-question/{ID}', where ID is a numeric value that can be bruteforced. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N) (WPScan).

The vulnerability allows unauthenticated users to discover and access private questions sent between users on the site. This represents a breach of confidentiality for user communications, potentially exposing sensitive information exchanged through the platform's private messaging system (WPScan).

The vulnerability has been fixed in WPQA Builder version 5.5. Users are strongly advised to update their WPQA Builder plugin to this version or later to protect against unauthorized access to private messages (WPScan).