The plugin does not validate authorization in its vcita-wordpress/v1/actions/auth REST route endpoint, allowing an unauthenticated attacker to set the connection parameters for the vcita account connection, including business_name and email address. Furthermore, the variables are stored in the database without any validation and are later inserted into the website without escaping or sanitation, leading to a stored cross-site scripting vulnerability.
curl https://example.com/wp-json/vcita-wordpress/v1/actions/auth \ βjson β{ βsuccessβ: true, βuser_dataβ: { βbusiness_idβ: β"; alert(1); //β, βbusiness_nameβ: βEvil Eveβ, βemailβ: β[email protected]β } }β