WordPress Plugin Vulnerabilities

WP Prayer < 1.6.6 - Cross-Site Request Forgery

Description

The plugin does not properly validate nonces in the save() and export() functions, enabling Cross-Site Request Forgery. As a result, unauthorized changes to plugin settings and unexpected data exports can occur.

Affects Plugins

Plugin icon
wp-prayer
Fixed in 1.6.6

References

CVE
CVE-2021-4412
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7efbdb1-989f-4171-ab55-aff66014337a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
d6f83552-ba2d-4147-9ca8-62344bc0f0fe

Timeline

Publicly Published
2021-06-08 (about 4 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2023-10-18
Title
Novo-Map : your WP posts on custom google maps <= 1.1.2 - CSRF
Published
2025-10-02
Title
Customify < 0.4.12 - Cross-Site Request Forgery
Published
2025-05-02
Title
Abundatrade Plugin <= 1.8.02 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-10-20
Title
Advanced Order Export For WooCommerce < 3.3.3 - Export Files via CSRF
Published
2023-02-28
Title
WP TFeed <= 1.6.9 - Delete cache via CSRF