✍️ Description

Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input.

🕵️‍♂️ Proof of Concept

• Select a member-status/group - Create Member
• Enter an XSS payload into the directory notes field, eg. <img src=x onerror="alert('dir notes')" />
• Hit save. Upon refreshing/navigating away and back to the page, the XSS payload stored in directory notes will execute.

💥 Impact

Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side. Stored XSS is a persistent vector and can deliver higher impact than reflected payloads.