The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e= The XSS will trigger when editing the affected Button
CPE | Name | Operator | Version |
---|---|---|---|
easy-paypal-donation | lt | 1.3.2 |