The plugin does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified numerous times since.
As any authenticated user, post a comment and edit it while capturing the request made, then change the comment_id parameter to the comment to edit
CPE | Name | Operator | Version |
---|---|---|---|
dw-question-answer-pro | eq | * |