Poll Maker – Best WordPress Poll Plugin < 5.1.9 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting | CVE 2024-3600 | Plugin Vulnerabilities

Description

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page.

Affects Plugins

Fixed in 5.1.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fec015e1-7f64-4917-a242-90bd1135f680

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

fee3ee25-5927-46b0-baea-4273306784a6

Timeline

Publicly Published

2024-04-18 (about 1 year ago)

Added

2024-04-18 (about 1 year ago)

Last Updated

2024-04-18 (about 1 year ago)

Other

Published

Title

Published

2025-11-18

Title

Time Slot < 1.4.8 - Unauthenticated Arbitrary Email Sending

Published

2025-01-29

Title

Monetag Official Plugin <= 1.1.3 - Missing Authorization

Published

2026-02-20

Title

Ads Pro < 5.1 - Missing Authorization

Published

2023-10-03

Title

Redirection for Contact Form 7 < 3.0.0 - Missing Authorization

Published

2025-12-24

Title

YITH Slider for page builders <= 1.0.11 - Missing Authorization