CVE-2024-3966: 
WordPress vulnerability analysis and mitigation

The Pray For Me WordPress plugin through version 1.0.4 contains a Cross-Site Scripting (XSS) vulnerability that affects unauthenticated visitors. The vulnerability was discovered on May 24, 2024, and was assigned CVE-2024-3966. The issue affects all versions of the Pray For Me WordPress plugin up to and including version 1.0.4 (WPScan).

The vulnerability stems from improper sanitization and escaping of parameters in the plugin. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited, this vulnerability allows unauthenticated visitors to perform Cross-Site Scripting attacks that are triggered when an administrator visits the Prayer Requests section in the WordPress Admin interface (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the Pray For Me WordPress plugin should consider disabling the plugin until a security update is released (WPScan).