WordPress YOP Polls 6.2.7 Cross Site Scripting

Credit: Toby Jackson
Risk: Low
Local: No
Remote: Yes

# Exploit Title: WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS) # Date: 09/06/2021 # Exploit Author: inspired - Toby Jackson # Vendor Homepage: https://yop-poll.com/ # Blog Post: https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ # Software Link: https://en-gb.wordpress.org/plugins/yop-poll/ # Version: Tested on version 6.2.7 (Older versions may be affected) # Tested on: WordPress # Category : Webapps ## I. Vulnerability Stored Cross Site Scripting (XSS) ## II. Product Overview The software allows users to quickly generate polls and voting systems for their blog posts without any need for programming knowledge. ## III. Exploit When a poll is created that allows other answers and then the setting is enabled for displaying the other responses after submission, the other answer is not sanitized when displayed back to the user, showing an XSS vulnerability. It is, however, correctly sanitized when displaying the other choices on the initial vote page. ## IV. Vulnerable Code The vulnerable code resides in the fact the results are echoed back to the user without any sanitization performed on the output. It also gets stored in the database as it's inserts. ## IV. Proof of Concept - Create a new poll that allows other answers, with the results of the other answers being displayed after voting. - Set the permissions to whoever you'd like to be able to vote. - Place it on a blog post. - Insert '<script>alert('xss')</script>' into the other box. - Submit vote. The payload gets triggered when reflected back to users. - Whenever a new user votes, they will also be affected by the payload. ## VI. Impact An attacker can leave stored javascript payloads to be executed whenever a user votes and views the results screen. This could lead to them stealing cookies, logging keystrokes and even stealing passwords from autocomplete forms. ## VII. SYSTEMS AFFECTED WordPress websites running "YOP Polls" plugin version 6.2.7 (older versions may also be affected). ## VIII. REMEDIATION Update the plugin to v6.2.8. ## VIIII. DISCLOSURE TIMELINE ------------------------- June 9, 2021 1: Vulnerability identified. June 9, 2021 2: Informed developer of the vulnerability. June 10, 2021 1: Vendor requested proof of concept. June 10, 2021 2: Sent proof of concept and accompanying details. June 14, 2021 1: Vendor emails to state the vulnerability has been fixed. June 16, 2021 1: Confirmed fix, vendor happy to disclose the vulnerability. June 17, 2021 1: Requested CVE Number.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top