Extra Charges To Payment Gateway For WooCommerce <= 2.0.2.1 - Unauthorised Arbitrary Plugin Settings Change to Stored XSS

Description

The add_form_fields() method, hooked to the admin_head action is lacking any CSRF and capability checks, allowing low privilege users to arbitrary update those settings, and set XSS payloads in them as well, which could lead to privilege escalation. Unauthenticated users could also make a logged in user change those settings via a CSRF attack.

Note (WPScanTeam): Initially, the original issue was an XSS, which was improperly fixed by the vendor, then during confirmaton of the issue, we noticed an Unauthorised Plugin Settings Change vulnerability. Vendor was notified, made some changes but put the CSRF and capability checks at the wrong place (in the middle of the method and not on top) and did not release a new version as well. After two months of trying to get them to properly fix the issues, it was escalated to the WordPress plugin team and the plugin was closed once more.