Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues.
- The original reporter mentioned the issue being fixed in 2.10.2, but we could still trigger it with the same payload in this version, as well as the latest 2.10.3. Vendor was notified about it
- April 29th, 2021 - v2.10.4 released, fixing the issue
Proof of Concept
As admin, put the payload below in the Background Image field of the Stripe Checkout settings (/wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways§ion=stripe-settings&group=checkout) or Logo field in the Email Settings (/wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=emails§ion=email-settings)
" autofocus onfocus=alert(/XSS/)//