Authored by Laburity Research Team

WordPress IDonate Blood Request Management System plugin versions 1.8.1 and below suffer from a persistent cross site scripting vulnerability.

# Exploit Title: IDonate – blood request management system <=1.8.1 - Stored
Cross-Site Scripting (Authenticated)
# Date: 29-02-2024
# Exploit Author: Laburity Research Team
# Vendor Homepage:
# Version: <=1.8.1
# Tested on: Firefox
# Contact me: contact [at]

# Summary:

A cross site scripting stored vulnerability has been identified in
WordPress Plugin IDonate – blood request management system version less
then 1.8.1. that allows Authenticated users to run arbitrary javascript
code inside WordPress using blood request management system Plugin.


1- Navigate to
2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key
and in Recaptcha Site key
3- Click on save changes.
4- While clicking on the payload text, XSS will trigger.

# Vulnerable Code:

public function idonate_recaptcha_secretkey_callback()

if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){
$secretkey = $this->general_options['idonate_recaptcha_secretkey'];
$secretkey = '';

'<input type="text" id="idonate_recaptcha_secretkey" value="%s"
name="idonate_general_option_name[idonate_recaptcha_secretkey]" />',


Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.