WordPress Plugin Vulnerabilities

WP-Polls <= 2.70 - Stored Cross-Site Scripting (XSS)

Description

The /wp-admin/admin.php?page=wp-polls%2Fpolls-add.php page is vulnerable to XSS within the pollq_question and polla_answers[] parameters.

Proof of Concept

Add a new poll with the question or answer as <svg onload="alert(/1/)">

Affects Plugins

Plugin icon
wp-polls
Fixed in 2.70

References

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
ptsx
Verified
No
WPVDB ID
8497ceda-f72f-4c55-a4eb-616ba5c403ce

Timeline

Publicly Published
2015-08-14 (about 8 years ago)
Added
2015-08-25 (about 8 years ago)
Last Updated
2019-10-22 (about 4 years ago)

Other

Published
Title
Published
2024-05-06
Title
WordPress Affiliates Plugin — SliceWP Affiliates < 1.1.11 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Category Grid View Gallery 2.3.1 - CatGridPost.php ID Parameter XSS
Published
2014-05-28
Title
Easy Career Opening <= 0.4 - Cross-Site Scripting (XSS)
Published
2023-05-16
Title
Zotpress < 7.3.4 - Unauthenticated Reflected XSS
Published
2024-03-13
Title
Otter Blocks < 2.6.5 - Contributor+ Stored Cross-Site Scripting