How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=

The XSS will trigger when editing the affected Button

Affects Plugins

easy-paypal-donation

Fixed in version 1.3.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

08f4ebf5-6bbe-4fb0-a9d2-c8a994afe39b

Timeline

Publicly Published

2021-10-18 (about 1 years ago)

Added

2021-10-18 (about 1 years ago)

Last Updated

2022-04-14 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin