Attack Vectors

DW Question Answer Pro (slug: dw-question-answer-pro) has a Medium-severity vulnerability (CVSS 5.4; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) tracked as CVE-2021-24800.

This issue can be exploited remotely over the network by a user who is already logged in with basic privileges (for example, a typical site account). Because no user interaction is required (UI:N), an attacker can act quickly once they have any valid login.

In practical terms, if your site uses DW Question Answer Pro to support community Q&A, customer support, or internal knowledge sharing, this weakness creates an avenue for a low-privileged account to interfere with conversations and content trust.

Security Weakness

DW Question Answer Pro through version 1.3.6 is missing an authorization (ownership) check when editing comments. The plugin does not verify that the comment being edited actually belongs to the user making the request.

As a result, any logged-in user may be able to edit other users’ comments, which is an integrity and trust issue for user-generated content and moderated discussions. Reference: Wordfence vulnerability report.

Remediation: Update DW Question Answer Pro to version 1.3.7 or any newer patched version.

Technical or Business Impacts

This vulnerability primarily affects content integrity and trust. Even if the impact is rated Medium, it can still create high business risk when the affected area is customer-facing or compliance-sensitive (support threads, product Q&A, community forums, or internal employee Q&A).

Potential impacts include:

• Brand and reputational damage: Edited comments can change the tone or meaning of discussions, create the appearance of staff responses, or introduce misleading information.
• Customer and lead friction: Tampered Q&A content can confuse prospects, increase support load, and reduce conversion confidence.
• Compliance and audit concerns: If comments contain regulated statements, disclosures, or incident communications, unauthorized edits can complicate record-keeping and oversight.
• Operational disruption: Moderators may spend time investigating “mysterious edits,” resolving disputes, and restoring content.

From a risk-management standpoint, this is also a reminder to apply least-privilege access for user roles, review who has accounts on the site, and keep plugins patched on a defined schedule.

Similar Attacks

Authorization failures like this are part of the broader class of “broken access control” issues, where a system allows actions that should be restricted to the rightful owner or an administrator.

A recent real-world example of an access-control-related flaw is GitLab’s CVE-2023-7028 account takeover issue, where weaknesses in account recovery logic enabled unauthorized account access in certain scenarios.