CVE-2021-24833

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 54.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown YOP PollYop-poll YOP Poll
Timeline
PublishedNov 17
Latest updateMay 24

Description

The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/yop_poll6.3.16.3.1
NVDyop-poll/yop_poll< 6.3.1

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-ggxf-x772-3hfw: The YOP Poll WordPress plugin before 62022-05-24
CVEList
YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module2021-11-17
CVE-2021-24833 (MEDIUM CVSS 5.4) | The YOP Poll WordPress plugin befor | cvebase.io