Impact
WordPress CP Polls 1.0.8 contains a persistent cross‑site scripting flaw that enables an attacker to upload files bearing malicious JavaScript scripts. When the uploaded file is viewed by other users, the script runs in the victims’ browsers, allowing arbitrary client‑side code execution. The weakness is a classic unsanitized input problem (CWE‑79). The vulnerability does not provide direct server‑side code execution or privilege escalation; its primary impact is on confidentiality and integrity of user sessions through client‑side injection.
Affected Systems
The CP Polls plugin developed by dwbooster, version 1.0.8. No other versions or vendors have been listed as affected.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity level. EPSS score of 0.00192 indicates a very low exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. Based on the description, the likely attack vector is an unauthenticated or lightly authenticated attacker who can upload files through the plugin’s interface. Once the file is stored, any user who views the content will trigger execution of the embedded script, making the threat primarily a client‑side attack affecting all visitors of the compromised site.
OpenCVE Enrichment