Poll Maker Vulnerable to Stored Cross-Site Scripting
CVE-2024-3600

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Poll Maker – Best WordPress Poll Plugin
Vendor: CVE Published:; 19 April 2024

What is CVE-2024-3600?

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress exhibits a vulnerability to Stored Cross-Site Scripting (XSS) due to an absence of proper capability checks on the ays_poll_maker_quick_start AJAX action. Additionally, all versions up to and including 5.1.8 lack sufficient escaping and sanitization measures. This deficiency enables unauthenticated attackers to craft quizzes that can embed malicious scripts, which execute without user consent when a targeted individual visits the page, significantly increasing the risk of data theft and site compromise.

Affected Version(s)

Poll Maker – Best WordPress Poll Plugin * <= 5.1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 19, 2024
Vulnerability Reserved
Apr 10, 2024

Credit

Krzysztof Zając