Sell BTC Cryptocurrency Selling Calculator WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress, affecting all versions through 1.5. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary scripts into order records. These scripts are executed when an administrator views the Orders page in the dashboard. Although the vulnerability was partially addressed in version 1.5, it remains a concern in earlier versions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected order.

Reproduction

To reproduce this vulnerability, send a request to the 'orderform_data' AJAX action with the 'form_var' parameter containing the unsanitized script. Once the script is injected, it will execute when an administrator accesses the Orders page.

Remediation

Users are advised to update the Sell BTC - Cryptocurrency Selling Calculator plugin to version 1.6 or later.