CVE-2021-24834

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 52.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown YOP PollYop-poll YOP Poll
Timeline
PublishedNov 17
Latest updateMay 24

Description

The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/yop_poll6.3.16.3.1
NVDyop-poll/yop_poll< 6.3.1

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-4rg7-7m6h-7jqr: The YOP Poll WordPress plugin before 62022-05-24
CVEList
YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module2021-11-17
CVE-2021-24834 (MEDIUM CVSS 5.4) | The YOP Poll WordPress plugin befor | cvebase.io