Share
## https://sploitus.com/exploit?id=1337DAY-ID-39386
# Exploit Title: IDonate โ€“ blood request management system <=1.8.1 - Stored
Cross-Site Scripting (Authenticated)
# Exploit Author: Laburity Research Team
# Vendor Homepage: https://wordpress.org/plugins/idonate/
# Version: <=1.8.1
# Tested on: Firefox
# Contact me: contact [at] laburity.com

# Summary:

A cross site scripting stored vulnerability has been identified in
WordPress Plugin IDonate โ€“ blood request management system version less
then 1.8.1. that allows Authenticated users to run arbitrary javascript
code inside WordPress using blood request management system Plugin.

# POC

1- Navigate to
http://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin
2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key
and in Recaptcha Site key
3- Click on save changes.
4- While clicking on the payload text, XSS will trigger.


# Vulnerable Code:

```
    public function idonate_recaptcha_secretkey_callback()
    {

if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){
$secretkey = $this->general_options['idonate_recaptcha_secretkey'];
}else{
$secretkey = '';
}

//
        printf(
            '<input type="text" id="idonate_recaptcha_secretkey" value="%s"
name="idonate_general_option_name[idonate_recaptcha_secretkey]"  />',
            $secretkey
        );

    }
```

Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.