The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack
El complemento WP Prayer WordPress hasta la versión 2.0.9 no tiene activada la verificación CSRF al actualizar su configuración de correo electrónico, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión los cambie mediante un ataque CSRF.
The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the wpe_manage_email_settings page. This makes it possible for unauthenticated attackers to update email settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.