The plugin suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin.
Log on as an admin, create or edit a Form Field (wp-admin/admin.php?page=wpbdp_admin_formfields) and set the Field Label input with a payload such as <script>alert(/XSS/)</script> XSS payloads execute: - On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing - On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv - When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing - On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings
0xB9
0xB9
Yes
2021-04-12 (about 1 years ago)
2021-04-12 (about 1 years ago)
2021-04-14 (about 1 years ago)