CVE-2021-24454

YOP Poll < 6.2.8 - Stored Cross-Site Scripting

EPSS 1.6%CWE-79

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Jul 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.

Affected products

Unknown · YOP Poll

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/