📄 Description (English)
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
🤖 AI Executive Summary
The Sell BTC WordPress plugin contains a Stored XSS vulnerability in the orderform_data AJAX action affecting versions up to 1.5. Unauthenticated attackers can inject malicious scripts into order records that execute when administrators access the Orders page, potentially compromising admin accounts and WordPress installations. A partial patch exists in version 1.5, but complete remediation requires upgrading to the latest version.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 08:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress for e-commerce and cryptocurrency trading platforms are at risk. Primary impact on: Financial Technology (FinTech) companies operating cryptocurrency exchanges, Online retailers accepting cryptocurrency payments, Digital payment service providers, and small-to-medium enterprises (SMEs) using WordPress for commerce. SAMA-regulated entities and payment processors face compliance violations if customer data is compromised through admin account takeover. The vulnerability enables credential theft, malware distribution, and unauthorized access to sensitive transaction data.
🏢 Affected Saudi Sectors
Financial Technology (FinTech)
E-commerce and Online Retail
Cryptocurrency and Digital Assets
Payment Processing
Small and Medium Enterprises (SMEs)
Digital Marketing Agencies
Online Service Providers
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Sell BTC plugin versions up to 1.5
2. Disable the plugin immediately if not critical to operations
3. Review admin access logs for suspicious activity during the past 30 days
4. Audit all orders placed during the vulnerability window for injected scripts
PATCHING GUIDANCE:
1. Update Sell BTC plugin to the latest version (beyond 1.5) from official WordPress repository
2. Verify patch completeness by reviewing plugin changelog for XSS fixes
3. Test functionality in staging environment before production deployment
4. Clear WordPress cache after update
COMPENSATING CONTROLS (if immediate patching not possible):
1. Restrict AJAX orderform_data endpoint to authenticated users only via .htaccess or WAF rules
2. Implement Content Security Policy (CSP) headers to prevent inline script execution
3. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection
4. Limit admin dashboard access to specific IP addresses
5. Enforce strong admin passwords and two-factor authentication
DETECTION RULES:
1. Monitor for POST requests to /wp-admin/admin-ajax.php?action=orderform_data containing script tags or event handlers
2. Alert on admin dashboard access from unusual locations or times
3. Log and review all order modifications in the past 30 days
4. Search database for <script>, javascript:, onerror=, onload= patterns in order data
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Sell BTC بإصدارات حتى 1.5
2. تعطيل المكون فوراً إذا لم يكن حرجاً للعمليات
3. مراجعة سجلات وصول المسؤول للنشاط المريب خلال آخر 30 يوماً
4. تدقيق جميع الطلبات المُدرجة أثناء نافذة الثغرة للبحث عن البرامج النصية المحقونة
إرشادات التصحيح:
1. تحديث مكون Sell BTC إلى أحدث إصدار (بعد 1.5) من مستودع WordPress الرسمي
2. التحقق من اكتمال الإصلاح بمراجعة سجل تغييرات المكون لإصلاحات XSS
3. اختبار الوظائف في بيئة التطوير قبل نشر الإنتاج
4. مسح ذاكرة التخزين المؤقت في WordPress بعد التحديث
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تقييد نقطة نهاية AJAX orderform_data للمستخدمين المصرح لهم فقط عبر .htaccess أو قواعد WAF
2. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
3. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع كشف XSS
4. تحديد وصول لوحة التحكم للمسؤول إلى عناوين IP محددة
5. فرض كلمات مرور قوية للمسؤول والمصادقة الثنائية
قواعد الكشف:
1. مراقبة طلبات POST إلى /wp-admin/admin-ajax.php?action=orderform_data التي تحتوي على علامات البرامج النصية أو معالجات الأحداث
2. التنبيه على وصول لوحة التحكم من مواقع أو أوقات غير عادية
3. تسجيل ومراجعة جميع تعديلات الطلبات في آخر 30 يوماً
4. البحث في قاعدة البيانات عن أنماط <script>، javascript:، onerror=، onload= في بيانات الطلب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Input validation and sanitization controls
5.2.1 - Output encoding and escaping requirements
5.3.2 - Web application security controls
6.1.1 - Vulnerability management and patching
🔵 SAMA CSF
ID.BE-5 - Identify and manage cybersecurity risks in supply chain
PR.DS-1 - Data security and protection
PR.IP-1 - Security patch management
DE.CM-1 - Detect anomalous activity
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
A.12.3.1 - Event logging
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention
6.5.7 - Cross-site scripting (XSS) prevention
6.2 - Security patches and updates
10.2.1 - User access logging
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.ph...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3433480/
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3450361/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f...
security@wordfence.com