YOP Poll < 6.1.5 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

If you add a new poll, and place a malicious script in the question/answer fields and then press Preview, the script will run. The preview option is available for the editor & administrator role, which makes these roles vulnerable to XSS attacks.

Proof of Concept

Place a "><script>alert('xss');</script> in the question box and save the post. After saving the post, press preview, and the plugin will show the alert.

Affects Plugins

Fixed in 6.1.5

References

URL

https://wiljeonline.com/vulnerabilities/yop-poll-plugin/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jeroen Mulder

Submitter

Jeroen Mulder

Submitter website

https://wiljeonline.com/

Verified

No

WPVDB ID

cdf7d395-ba22-4efa-a3b8-69748a12c64e

Timeline

Publicly Published

2020-04-24 (about 6 years ago)

Added

2020-04-24 (about 6 years ago)

Last Updated

2020-04-25 (about 6 years ago)

Other

Published

Title

Published

2024-05-31

Title

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.52 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-06-03

Title

SHOUT <= 3.5.3 - Reflected Cross-Site Scripting

Published

2023-08-21

Title

FTP Access <= 1.0 - Subscriber+ Stored XSS

Published

2026-05-01

Title

Maxi Blocks < 2.1.10 - Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API

Published

2026-04-30

Title

Freemius < 2.11.0 - Reflected DOM-Based XSS via url Parameter