Vik Rent Car < 1.1.7 - CSRF to Stored XSS

In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. Note: The XSS has been fixed in 1.1.6, and the CSRF in 1.1.7

PoC

Steps To produce the bug: 1. Go to the custom fields option in the plugin (/wp-admin/admin.php?option=com_vikrentcar&task;=customf) 2. Edit the field and add an XSS payload in the Field Name, ie 3. Now save that and whenever anyone visit that XSS will trigger via CSRF