CVE-2022-3343: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-3343 affects the WPQA Builder WordPress plugin versions before 5.9.3, which is a companion plugin used with Discy and Himer Discy WordPress themes. The vulnerability was discovered by Harsh Tandel and was publicly disclosed on December 13, 2022 (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and falls under the OWASP Top 10 category A5: Broken Access Control. It has been assigned CWE-639 and received a CVSS score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. The issue stems from incorrect validation in the wpqafollowingyou_ajax action (WPScan).

The vulnerability allows a user to manipulate the site's scoring system by enabling repeated follow actions to artificially inflate user scores. This impacts the integrity of the platform's user engagement metrics (NVD).

The vulnerability has been fixed in WPQA Builder version 5.9.3, Discy theme version 5.5.3, and Himer theme version 1.9.3. Users are advised to update to these or later versions to mitigate the vulnerability (WPScan).