Attack Vectors

CVE-2021-24805 is a Medium-severity Cross-Site Request Forgery (CSRF) issue (CVSS 5.4) affecting DW Question & Answer Pro (slug: dw-question-answer-pro) through version 1.3.6. CSRF attacks typically rely on tricking a legitimate, logged-in user into clicking a link or visiting a page that silently submits a request to your WordPress site.

In practical terms, an attacker could send a marketing team member, moderator, or admin a convincing email or message containing a link. If that person is already logged into WordPress, the malicious request can be executed with their permissions—without requiring the attacker to know their password.

According to the advisory, impacted actions can include forcing logged-in users to perform unwanted changes such as updating a comment or changing a question’s status within the DW Question & Answer Pro workflow.

Security Weakness

The underlying weakness is that DW Question & Answer Pro versions <= 1.3.6 do not properly check CSRF protections in some functions. In WordPress terms, this typically means requests are not sufficiently validated to confirm they were intentionally initiated by the authenticated user.

This matters because many business processes depend on trusted actions performed by authenticated staff (moderation, customer support, community management, brand communications). When CSRF protections are missing, routine actions can be triggered by external content—turning normal user behavior (clicking a link) into a security risk.

Technical or Business Impacts

Brand and reputational risk: If question statuses or comments are altered without intent, public Q&A content can become misleading, inappropriate, or inconsistent with brand guidelines. This can undermine trust in your community or support channels.

Operational disruption: Moderation workflows may be affected if content is unexpectedly edited or statuses are changed. Teams may spend time investigating “mystery changes,” re-moderating content, or re-opening/closing questions incorrectly handled.

Compliance and audit concerns: For organizations with regulated communications or formal approval processes, unauthorized changes made under a legitimate user’s session can create audit and accountability challenges—especially if it appears a staff member made the change.

Recommended remediation: Update DW Question & Answer Pro to version 1.3.7 or a newer patched version to address the issue. Reference: CVE-2021-24805 and Wordfence advisory.