WP-Polls <= 2.70 - Stored Cross-Site Scripting (XSS)



Description
The /wp-admin/admin.php?page=wp-polls%2Fpolls-add.php page is vulnerable to XSS within the pollq_question and polla_answers[] parameters.
Proof of Concept
Add a new poll with the question or answer as <svg onload="alert(/1/)">

Affects Plugin

fixed in version 2.70

References

URL https://wordpress.org/plugins/wp-polls/changelog/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter ptsx
Views 5010
Verified No
WPVDB ID 8160

Timeline

Publicly Published 2015-08-14 (over 4 years ago)
Added 2015-08-25 (over 4 years ago)
Last Updated 2019-10-22 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin