CVE-2024-4751 – The WP Prayer II WordPress plugin through versi... (How to Fix)

Q: What is the severity of CVE-2024-4751?

CVE-2024-4751 has a CVSS score of 4.3 (MEDIUM). The WP Prayer II WordPress plugin through version 2.4.7 lacks CSRF protection on its settings update functionality. This allows attackers to trick logged-in administrators into unknowingly modifying plugin settings via malicious requests. Only WordPress sites using this specific plugin are affected.

📋 TL;DR

The WP Prayer II WordPress plugin through version 2.4.7 lacks CSRF protection on its settings update functionality. This allows attackers to trick logged-in administrators into unknowingly modifying plugin settings via malicious requests. Only WordPress sites using this specific plugin are affected.

💻 Affected Systems

Products:

WP Prayer II WordPress Plugin

Versions: All versions through 2.4.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Prayer II plugin active. The attacker needs to trick a logged-in administrator into clicking a malicious link or visiting a compromised page.

📦 What is this software?

Prayer by Goprayer

View all CVEs affecting Prayer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could change plugin settings to redirect users, inject malicious content, or disable security features, potentially leading to site compromise or data leakage.

🟠

Likely Case

Attackers modify plugin settings to display unwanted content, redirect users to malicious sites, or disrupt normal functionality.

🟢

If Mitigated

With proper CSRF tokens implemented, no unauthorized settings changes can occur through cross-site requests.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an admin, but the technical execution is simple once the admin is targeted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.8 or later

Vendor Advisory: https://wpscan.com/vulnerability/94f4cc45-4c55-43d4-8ad2-a20c118b589f/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Prayer II plugin. 4. Click 'Update Now' if available, or manually update to version 2.4.8+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable WP Prayer II Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate wp-prayer-ii

Implement Web Application Firewall (WAF)

all

Configure WAF rules to block CSRF attacks targeting plugin endpoints

🧯 If You Can't Patch

Remove WP Prayer II plugin entirely if not essential
Restrict admin access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Prayer II. If version is 2.4.7 or lower, you are vulnerable.

Check Version:

wp plugin get wp-prayer-ii --field=version

Verify Fix Applied:

After updating, verify WP Prayer II version shows 2.4.8 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin.php?page=wp-prayer-ii from unexpected referrers
Multiple failed CSRF token validations for plugin endpoints

Network Indicators:

HTTP requests to plugin settings endpoints without proper referrer headers or CSRF tokens

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string="page=wp-prayer-ii") AND http_method="POST" AND NOT referrer CONTAINS "your-domain.com"

📊 Metadata

CVE ID: CVE-2024-4751

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: June 14, 2024

Last Updated: July 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4751, you might also want to check these: