Cost Calculator < 1.6 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24821

Description

The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page)

Proof of Concept

Create a new "Cost Calculator" post, set the Price Settings > Description field to "><script>alert(/XSS/)</script>
and reload (or have an admin view the page). The XSS will also trigger when the related calculator shortcode (e.g [nd_cost_calculator id="806"]) is embed in a post/page

Create a new Project, set the Text Preview field to " style="animation-name:rotation;" onanimationend="alert(/XSS/)//
and reload (or have an admin view the page).