CVE-2021-24454

In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.
Configurations

Configuration 1 (hide)

cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 05:53

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 - Exploit, Third Party Advisory
References () https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ - Exploit, Third Party Advisory () https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ - Exploit, Third Party Advisory

15 Jul 2021, 15:37

Type Values Removed Values Added
References (MISC) https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ - (MISC) https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ - Exploit, Third Party Advisory
References (CONFIRM) https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 - (CONFIRM) https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 - Exploit, Third Party Advisory
CWE CWE-79
CPE cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 6.1

12 Jul 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-07-12 20:15

Updated : 2024-11-21 05:53


NVD link : CVE-2021-24454

Mitre link : CVE-2021-24454

CVE.ORG link : CVE-2021-24454


JSON object : View

Products Affected

yop-poll

  • yop_poll
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')