Persistent Cross-Site Scripting in WordPress Plugin CP Polls
CVE-2016-20066

5.1MEDIUM

Key Information:

Vendor: WordPress
Status: Cp Polls
Vendor: CVE Published:; 15 June 2026

Badges

👾 Exploit Exists

What is CVE-2016-20066?

The WordPress CP Polls plugin version 1.0.8 contains a vulnerability that allows for persistent cross-site scripting (XSS) attacks due to insufficient validation in its file upload feature. This flaw enables malicious actors to upload files with embedded scripts, which can execute arbitrary JavaScript in the browsers of users who access the infected content. As a result, attackers can potentially hijack user sessions, steal cookies, or perform other malicious actions against unaware users. Proper input sanitization and implementing security measures are essential to mitigate this vulnerability.

Affected Version(s)

CP Polls 1.0.8

References

https://www.exploit-db.com/exploits/39513

exploit

https://www.vulncheck.com/advisories/wordpress-cp-polls-p...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 15, 2026
👾
Exploit known to exist
Jun 15, 2026
Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 14, 2026

Credit

Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]

CVE-2016-20066 Data

JSON