LiquidPoll Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-7134

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Liquidpoll – Polls, Surveys, Nps And Feedback Reviews
Vendor: CVE Published:; 21 August 2024

Summary

The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is exposed to a serious vulnerability characterized by stored cross-site scripting through the 'form_data' parameter. This flaw, present in all versions up to and including 3.3.78, arises from inadequate input sanitization and output escaping protocols. As a result, it opens the door for unauthorized attackers to inject malicious web scripts, which can be executed whenever unsuspecting users access compromised pages. This vulnerability poses significant security risks to websites utilizing the LiquidPoll plugin.

Affected Version(s)

LiquidPoll – Polls, Surveys, NPS and Feedback Reviews * <= 3.3.78

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-poll/#developers

https://plugins.trac.wordpress.org/browser/wp-poll/trunk/...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 21, 2024
Vulnerability Reserved
Jul 26, 2024

Credit

D.Sim