WP Prayer WordPress Plugin Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP Prayer WordPress plugin, affecting versions prior to 1.6.2. The vulnerability allows authenticated users to submit prayer requests containing malicious JavaScript, which is then executed when the requests are displayed on the site. This issue arises because the plugin's input fields for prayer and praise requests lack proper validation, enabling the injection of XSS payloads.

Impact

Exploitation of this vulnerability allows for authenticated stored cross-site scripting, where injected scripts are executed in the context of the user viewing the prayer requests.

Reproduction

To reproduce this vulnerability, create a WordPress user with the 'subscriber' role. Install WP Prayer version 1.5.5 and create a page with the 'wp-prayer-engine form' shortcode, as well as a page with the 'wp-prayer-engine' shortcode. Log in as the subscriber user, navigate to the prayer request form page, and enter a JavaScript payload in the 'prayer request' field. After submitting the form, go to the page with the 'wp-prayer-engine' shortcode or the 'Manage Prayers' admin dashboard. The XSS payload will be executed when the prayer request is loaded.

Remediation

Users are advised to update the WP Prayer WordPress plugin to version 1.6.2 or later.