The plugin does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified numerous times since.
CSRF to update_comment CSRF to update a question status
CPE | Name | Operator | Version |
---|---|---|---|
dw-question-answer-pro | eq | * |