Description
Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
Passive
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
None
Affected products
References
- MISChttps://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting
- MISChttps://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/
- MISChttps://wordpress.org/plugins/social-polls-by-opinionstage/
- MISChttps://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage
- MISChttps://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss