WordPress IDonate Blood Request Management System plugin versions 1.8.1 and below suffer from a persistent cross site scripting vulnerability.
# Exploit Title: IDonate – blood request management system <=1.8.1 - Stored
Cross-Site Scripting (Authenticated)
# Date: 29-02-2024
# Exploit Author: Laburity Research Team
# Vendor Homepage: https://wordpress.org/plugins/idonate/
# Version: <=1.8.1
# Tested on: Firefox
# Contact me: contact [at] laburity.com
# Summary:
A cross site scripting stored vulnerability has been identified in
WordPress Plugin IDonate – blood request management system version less
then 1.8.1. that allows Authenticated users to run arbitrary javascript
code inside WordPress using blood request management system Plugin.
# POC
1- Navigate to
http://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin
2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key
and in Recaptcha Site key
3- Click on save changes.
4- While clicking on the payload text, XSS will trigger.
# Vulnerable Code:
```
public function idonate_recaptcha_secretkey_callback()
{
if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){
$secretkey = $this->general_options['idonate_recaptcha_secretkey'];
}else{
$secretkey = '';
}
//
printf(
'<input type="text" id="idonate_recaptcha_secretkey" value="%s"
name="idonate_general_option_name[idonate_recaptcha_secretkey]" />',
$secretkey
);
}
```
Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.
