WordPress Plugin Vulnerabilities

WP Prayer II < 2.4.8 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp-prayers-request
Fixed in 2.4.8

References

CVE
CVE-2024-4751

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
94f4cc45-4c55-43d4-8ad2-a20c118b589f

Timeline

Publicly Published
2024-05-24 (about 1 year ago)
Added
2024-05-24 (about 1 year ago)
Last Updated
2026-01-06 (about 11 days ago)

Other

Published
Title
Published
2024-08-25
Title
GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF
Published
2016-02-16
Title
ALO EasyMail Newsletter < 2.7.0 - Cross-Site Request Forgery (CSRF)
Published
2021-03-13
Title
VM Backups <= 1.0 - CSRF to Database Backup Download
Published
2025-06-12
Title
Link Shield <= 0.5.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-11-01
Title
Homepage Pop-up <= 1.2.5 - CSRF