Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS

Vulnerability

The پلاگین پرداخت دلخواه (Pardakht Delkhah) WordPress plugin versions before 2.9.3 fail to sanitize and escape some parameters [1]. This allows an unauthenticated attacker to inject malicious JavaScript payloads through HTTP requests. The injected payloads are stored and later executed when a user with high privileges, such as an administrator, visits a page from the plugin.

Exploitation

An unauthenticated attacker can send a crafted request containing an XSS payload in a vulnerable parameter [1]. No authentication or special network position is required. The payload is stored by the plugin without sanitization. When a high-privilege user (e.g., an admin) subsequently visits any plugin page where the payload is rendered, the script executes in their browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, or forced administrative actions. The attack achieves stored cross-site scripting (XSS) with an impact on confidentiality, integrity, and availability, particularly affecting privileged users.

Mitigation

Update the پلاگین پرداخت دلخواه plugin to version 2.9.3 or later, which fixes the vulnerability [1]. No workaround is available. The plugin is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.