CVE-2021-4412

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 65.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Abrg WP PrayerGoprayer WP Prayer
Timeline
PublishedJul 12

Description

The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5. This is due to missing or incorrect nonce validation on the save() and export() functions. This makes it possible for unauthenticated attackers to save plugin settings and trigger a data export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5abrg/wp_prayer1.6.5

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-45fv-hg56-qgcj: The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 12023-07-12
CVEList
WP Prayer <= 1.6.5 - Cross-Site Request Forgery Bypass2023-07-12
CVE-2021-4412 (MEDIUM CVSS 4.3) | The WP Prayer plugin for WordPress | cvebase.io