CVE-2021-24454

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
1.7%
top 17.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown YOP PollYop-poll YOP Poll
Timeline
PublishedJul 12
Latest updateMay 24

Description

In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/yop_poll6.2.86.2.8
NVDyop-poll/yop_poll< 6.2.8

🔴Vulnerability Details

2
GHSA
GHSA-whff-r7hf-mx5w: In the YOP Poll WordPress plugin before 62022-05-24
CVEList
YOP Poll < 6.2.8 - Stored Cross-Site Scripting2021-07-12
CVE-2021-24454 (MEDIUM CVSS 6.1) | In the YOP Poll WordPress plugin be | cvebase.io