Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS

The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it

PoC

Field Label Field description (optional) Field Label Field description (optional) XSS payloads execute: - On the business directory page when adding a listing: /business-directory/?wpbdp_view=submit_listing - On the Import/Export page: /wp-admin/admin.php?page=wpbdp_admin_csv - When adding/editing a listing /wp-admin/post-new.php?post_type=wpbdp_listing - On various Settings page, such as /wp-admin/admin.php?page=wpbdp_settings&tab;=listings&subtab;=listings%2Fsorting, /wp-admin/admin.php?page=wpbdp_settings&tab;=listings&subtab;=search_settings Delete