WordPress Plugin Vulnerabilities

Poll Maker < 3.2.9 - Reflected Cross-Site Scripting

Description

The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8.

Proof of Concept

Affects Plugins

Plugin icon
poll-maker
Fixed in 3.2.9

References

CVE
CVE-2021-34635
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34635

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Xu-Liang Liao
Submitter
Wordfence
Submitter website
https://wordfence.com
Verified
Yes
WPVDB ID
9e56ec9a-a031-4eed-b3eb-f5c6f9af5214

Timeline

Publicly Published
2021-07-28 (about 4 years ago)
Added
2021-07-28 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2025-09-05
Title
aThemes Addons for Elementor Lite < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Published
2023-04-19
Title
Subscribers - Free Web Push Notifications < 1.5.4 - Admin+ Stored XSS
Published
2024-04-03
Title
WordPress Tag and Category Manager – AI Autotagger < 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-11-08
Title
Storely <= 14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
新淘客WordPress插件 <= 1.1.2 - Reflected Cross-Site Scripting