Pray For Me <= 1.0.4 – Unauthenticated Stored XSS | CVE 2024-3966 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin

Proof of Concept

1. Configure the plugin to add the first name and last name fields to the form: https://example.com/wp-admin/admin.php?page=caruso_prayer_plugin_settings
2. Add the `[prayer_form]` shortcode to a post or page
3. As a unauthenticated user, fill out the form and enter `"><script>alert(1)</script>` in the "first name" and "last name" fields
4. As an admin, go to: https://example.com/wp-admin/admin.php?page=caruso_prayer_plugin to see the XSS

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

9f0a575f-862d-4f2e-8d25-82c6f58dd11a

Timeline

Publicly Published

2024-05-24 (about 1 year ago)

Added

2024-05-24 (about 1 year ago)

Last Updated

2024-05-24 (about 1 year ago)

Other

Published

Title

Published

2023-03-21

Title

Team Member < 4.5 - Editor+ Stored Cross-Site Scripting

Published

2025-07-30

Title

Easy Elementor Addons < 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-14

Title

Plugin README Parser <= 1.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via target Parameter

Published

2021-05-05

Title

Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key

Published

2022-12-27

Title

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.4.0 - Contributor+ Stored XSS