[50] CVE-2022-3128
During a security research I found an authenticated Stored XSS vulnerability.
The name of the plugin is: Donation Thermometer < 2.1.3
Description
The plugin does not sanitise and escape some of its settings, which could allow
high privilege users such as admin to perform Stored Cross-Site Scripting
attacks even when the unfiltered_html capability is disallowed
(for example in multisite setup)
POC
Put the following payload in the Settings > Thermometer > Currency settings:
" style=animation-name:rotation onanimationstart=alert(/XSS/)//
Save the changes, the XSS will be triggered when accessing the
settings again, as well as in the frontend in pages
where the [thermometer] is embed.
Additional information
WPSCAN link: https://wpscan.com/vulnerability/97201998-1859-4428-9b81-9c2748806cf4
Plugin has more than 3,000+ active installations.