WordPress Plugin Vulnerabilities

WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF

Description

The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings (including the email settings) for example.

v1.6.6 fixed most of CSRF checks, but the one in model.email_settings.php was improperly fixed (bypass still possible by providing a dummy nonce)

Timeline:
May 25th, 2021 - Vendor contacted
May 31st, 2021 - Escalated to WP due to unresponsive vendor
June 1st, 2021 - WP Investigating
June 7th, 2021, v1.6.6 released, fixing the logic expect in model.email_settings.php. WP notified again about it
June 13th, 2021 - v1.6.7 released, fixing the remaining CSRF issue

Proof of Concept

Affects Plugins

Plugin icon
wp-prayer
Fixed in 1.6.7

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
e4f17c7b-06a6-469d-a128-27a51e36493d

Timeline

Publicly Published
2021-06-08 (about 4 years ago)
Added
2021-06-11 (about 4 years ago)
Last Updated
2021-06-13 (about 4 years ago)

Other

Published
Title
Published
2023-05-31
Title
bbPress Toolkit <= 1.0.12 - Cross-Site Request Forgery
Published
2025-04-16
Title
Basic Interactive World Map <= 2.7 - Cross-Site Request Forgery to Settings Update
Published
2024-10-14
Title
Better Author Bio <= 2.7.10.11 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2014-08-01
Title
Quick Page Post Redirect 5.0.4 - redirect-updates.php Multiple Admin Function CSRF
Published
2023-08-07
Title
GDPR Cookie Compliance < 4.12.5 - License Update/Deactivation via CSRF