WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The ‘prayer request’ and ‘praise request’ fields do not use proper input validation and can be used to store XSS payloads.

PoC

1. Create a user with role ‘subscriber’ 2. Install WP Prayer 1.5.5 and create a page with a [wp-prayer-engine form] and a page with [wp-prayer-engine] 2. Log into the website with the subcriber user 3. Go to the page [wp-prayer-engine form] and fill in the fields 4. In the ‘prayer request’ field put the following: 5. Submit the form 6. Go to the page with the [wp-prayer-engine] or the “Manage Prayers” admin dashboard (wp-admin/admin.php?page=wpe_manage_prayer) 7. XSS payload will be triggered