Pickup | Delivery | Dine-in date time <= 1.0.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

Go to this page: https://example.com/wp-admin/admin.php?page=byconsolewooodtrestro_general_settings on this page we have multiple forms. all of them are vulnerable to stored xss. xss payload: "> vulnerable parameters: byconsolewooodtrestro_takeaway_lable , byconsolewooodtrestro_delivery_lable , byconsolewooodtrestro_dinein_lable , byconsolewooodtrestro_date_field_text , byconsolewooodtrestro_time_field_text , byconsolewooodtrestro_orders_delivered , byconsolewooodtrestro_orders_pick_up , byconsolewooodtrestro_orders_dinein , byconsolewooodtrestro_chekout_page_section_heading , byconsolewooodtrestro_chekout_page_order_type_label , byconsolewooodtrestro_chekout_page_date_label , byconsolewooodtrestro_chekout_page_time_label After injecting these payloads and save the changes, any administrator will be targeted by visiting this page.