Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS

The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

PoC

1. Install and activate WoocCommerce (dependency, no configuration required) 2. Install the vulnerable plugin (pardakht-delkhah 2.9.2) 3. Under plugin’s menu, “Custom payment” > “Gateway Settings”, hit the save button to set the default gateway. 4. Invoke the following curl request to store two XSS payloads (both of which will trigger an alert box: curl http://localhost:10008/wp-admin/admin-ajax.php \ --data ‘action=cupri_action&cupri;_fmobile=981111111111&cupri;_fprice=“>&cupri;_f0=”>’ 5. The XSS will be triggered when an admin navigates to the plugin’s menu (/wp-admin/edit.php?post_type=cupri_pay)