A high-severity vulnerability exists in the "Sell BTC - Cryptocurrency Selling Calculator" plugin for WordPress. This flaw allows an attacker to inject and store malicious code on the website, which then executes in the web browsers of other users, including administrators. Successful exploitation could lead to the theft of sensitive information, user account takeovers, or complete website compromise.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the 'orderform_data' AJAX action of the plugin. An unauthenticated attacker can craft a malicious request containing a script payload and submit it through this AJAX function. The plugin fails to properly sanitize this input before storing it in the website's database. When a privileged user, such as an administrator, views the page containing this stored data, the malicious script executes within their browser session, granting the attacker the same privileges as the victim user.

This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation can have significant negative consequences for the business. An attacker could leverage this flaw to steal administrator session cookies, leading to a complete takeover of the WordPress site. This could result in website defacement, theft of customer data, installation of backdoors, or using the compromised website to launch further attacks, causing severe reputational damage and potential financial loss.

Immediate Action: Immediately update the "Sell BTC - Cryptocurrency Selling Calculator" plugin to the latest patched version released by the vendor. If this plugin is not essential for business operations, consider deactivating and completely removing it from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server and WAF logs for suspicious POST requests to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) with the action 'orderform_data' containing script tags or other HTML/JavaScript payloads. Audit the database tables associated with the plugin for any stored malicious code. Regularly review for unauthorized changes to website content or the creation of new administrative user accounts.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with a robust ruleset to detect and block XSS attack patterns. Enforce a strict Content Security Policy (CSP) on the website to prevent the execution of unauthorized inline scripts. Restrict administrative access to trusted IP addresses to limit the exposure of privileged sessions.

Public Exploit Available: false

Given the high severity rating (CVSS 7.2) and the ease of exploitation, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patch for the affected plugin. Although this vulnerability is not currently listed in the CISA KEV catalog, the risk of future exploitation is high due to the widespread use of WordPress. Proactive patching is the most effective defense to prevent potential website compromise, data theft, and reputational harm.