WPQA < 5.5 - Unauthenticated Private Message Disclosure
The plugin which is a companion to the Discy and Himer themes, lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.
Visit /wp-json/wp/v2/asked-question
or /wp-json/wp/v2/asked-question/<iD> (where ID is numeric and can be bruteforced!)
https://www.youtube.com/watch?v=MbhiQKWvivQ
https://wpscan.com/vulnerability/0416ae2f-5670-4080-a88d-3484bb19d8c8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1598