Poll Maker Vulnerable to Stored Cross-Site Scripting
CVE-2024-3600
7.2HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 19 April 2024
Summary
The Poll Maker – Best WordPress Poll Plugin plugin for WordPress exhibits a vulnerability to Stored Cross-Site Scripting (XSS) due to an absence of proper capability checks on the ays_poll_maker_quick_start AJAX action. Additionally, all versions up to and including 5.1.8 lack sufficient escaping and sanitization measures. This deficiency enables unauthenticated attackers to craft quizzes that can embed malicious scripts, which execute without user consent when a targeted individual visits the page, significantly increasing the risk of data theft and site compromise.
Affected Version(s)
Poll Maker – Best WordPress Poll Plugin * <= 5.1.8
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Krzysztof Zając