Business Directory Plugin < 5.11.2 – Authenticated Stored Cross-Site Scripting | CVE 2021-24250

Description

The plugin suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin.

Proof of Concept

Log on as an admin, create or edit a Form Field (wp-admin/admin.php?page=wpbdp_admin_formfields) and set the Field Label input with a payload such as <script>alert(/XSS/)</script>

XSS payloads execute:
- On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing
- On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv
- When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing
- On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings