loader gif

WordPress Plugin Give – Stored XSS for Donors

WordPress Plugin Give – Stored XSS for Donors (Malware and Vulnerabilities)

Thanks to this oversight, a malicious user can still perform an injection on the donors page after making a donation. Donor, which contains the data related to the user performing the donation. ​​​​If the user performing the donation is a guest, meaning this is the first donation using this email, a new donor will be created with the provided information. ​​Donor creation ​​Under the admin panel, you can see either one of the two created entities by the donation: The Donors and The Donations. ​​The code can be found under class-donor-table.php: ​​Injection on the table row tag ​​Injection on the column checkbox ​​The name of our user was sanitized using the sanitize_text_field method, which performs the following actions per the WordPress documentation:

loader gif