CVE-2021-24618

Name of the Vulnerable Software and Affected Versions Donate With QRCode WordPress plugin versions prior to 1.4.5

Description The issue is related to a Stored Cross-Site Scripting (XSS) attack. The plugin does not sanitise or escape its QRCode Image setting, allowing any authenticated user, or unauthenticated user via a CSRF vector, to update the setting and perform an attack. The lack of CSRF and capability checks in place when saving the setting enables any authenticated user, including those with low privileges such as subscribers, to update the setting.

Recommendations For versions prior to 1.4.5, update to version 1.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the QRCode Image setting to minimize the risk of exploitation. Additionally, restrict the ability of low-privileged users, such as subscribers, to update settings that could potentially be used for XSS attacks.