The vulnerability allows users who have the profile.post permission to publish wall posts on private or blocked profiles without any check for authorization. The reply handling part of the code also fails to confirm that a reply belongs to the profile being viewed, so an attacker can inject replies into any existing wall post on another user’s profile. This creates a data integrity problem and lets attackers create or modify content that appears on other users’ walls, potentially defaming or confusing other members.

The issue exists in NamelessMC software, version 2.2.4. The product is named Nameless, and the vulnerability is present in that specific version. A patch that resolves the problem is available in version 2.2.5.

The CVSS score of 5.3 places the vulnerability in the medium severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be carried out by sending direct POST requests to the profile handling page; the attacker only needs to possess the profile.post permission to succeed. Because a valid user credential is required for the permission, the attacker must either impersonate a legitimate user or be a privileged user themselves. If an attacker can obtain such a credential, they can write arbitrary content to any user’s wall and inject replies to existing wall posts, potentially manipulating the community data flow or defaming members.