The plugin does not validate authorization in its vcita-wordpress/v1/actions/auth REST route endpoint, allowing an unauthenticated attacker to set the connection parameters for the vcita account connection, including business_name and email address. Furthermore, the variables are stored in the database without any validation and are later inserted into the website without escaping or sanitation, leading to a stored cross-site scripting vulnerability.
curl https://example.com/wp-json/vcita-wordpress/v1/actions/auth \
βjson '{
"success": true,
"user_data": {
"business_id": "\"; alert(1); //",
"business_name": "Evil Eve",
"email": "[email protected]"
}
}'