Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting

The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

PoC

Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e= Via CSRF: The name, price and id params are not required. But they are displayed on the buttons overview and can be used to attract the victims attention to edit the Button. The XSS will trigger when editing the affected Button