WordPress Plugin Vulnerabilities
GiveWP < 2.12.0 - Admin+ Stored XSS
Description
The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
Proof of Concept
Put the following payload in any Donation Level Text field of a Donation Form (ie /wp-admin/post.php?post=9&action=edit&give_tab=form_field_options#form_field_options): "onmouseover=alert(/XSS/)// Then view a page/post with the embed Donation Form and move the mouse over the related Donation Level the payload was injected in to trigger the XSS
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-26 (about 2 years ago)
Added
2021-07-26 (about 2 years ago)
Last Updated
2023-04-12 (about 1 years ago)