CVE-2024-4758
📋 TL;DR
This CSRF vulnerability in the Muslim Prayer Time BD WordPress plugin allows attackers to trick authenticated administrators into resetting plugin settings without their consent. Attackers can craft malicious requests that appear legitimate, causing admins to unknowingly reset configurations when logged in. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Muslim Prayer Time BD WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reset all plugin settings, potentially disrupting prayer time functionality for Muslim users, and if combined with other vulnerabilities, could lead to further compromise of the WordPress site.
Likely Case
Attackers trick administrators into resetting plugin settings, causing temporary disruption of prayer time display functionality until settings are reconfigured.
If Mitigated
With proper CSRF protections and admin awareness, the vulnerability would be prevented as legitimate nonce checks would block unauthorized requests.
🎯 Exploit Status
Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.4
Vendor Advisory: https://wpscan.com/vulnerability/64ec57a5-35d8-4c69-bdba-096c2245a0db/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Muslim Prayer Time BD' plugin. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 2.4.
🔧 Temporary Workarounds
CSRF Protection via WordPress Nonce
allManually add CSRF protection to the settings reset functionality by implementing WordPress nonce checks.
Plugin Deactivation
linuxTemporarily deactivate the plugin until patched, though this will disable prayer time functionality.
wp plugin deactivate muslim-prayer-time-bd
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF attacks targeting the plugin's reset endpoint.
- Educate administrators about CSRF risks and advise them to log out of admin sessions when not actively managing the site.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find Muslim Prayer Time BD, and verify version is 2.4 or lower.Check Version:
wp plugin get muslim-prayer-time-bd --field=versionVerify Fix Applied:
After updating, verify plugin version is above 2.4 in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin.php?page=muslim-prayer-time-bd with reset parameters from unexpected sources
- Admin user sessions with unusual reset actions
Network Indicators:
- HTTP POST requests to plugin reset endpoints without proper referrer headers or nonce parameters
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=muslim-prayer-time-bd" AND method="POST")