Description
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in CP Polls 1.0.8 that lets an attacker force logged‑in administrators to perform poll‑management actions without their knowledge. This weakness, classified as CWE‑352, enables manipulation of poll content and results, compromising the integrity of the site configuration.

Affected Systems

The WordPress plugin CP Polls, version 1.0.8, when installed on any WordPress site is affected. Administrators who are logged in while visiting a malicious page can trigger the exploit.

Risk and Exploitability

The vulnerability scores a CVSS impact of 5.3 and the EPSS score is 0.00116, indicating a very low exploitation probability; it is not listed in CISA KEV. Exploitation requires an attacker to host a malicious page that an authenticated administrator visits in a browser. The risk is moderate, with the main limitation that the attacker needs the victim to be logged into WordPress and to trigger the page. No widely known public exploits are documented.

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CP Polls plugin to the latest version that contains the CSRF fix.
  • If no patch is available, temporarily disable CP Polls until a security update is released.
  • Limit administrative access to trusted IP addresses and enable two‑factor authentication to reduce the likelihood of successful CSRF attacks.

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dwbooster
Dwbooster cp Polls
Wordpress
Wordpress wordpress
Vendors & Products Dwbooster
Dwbooster cp Polls
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.
Title WordPress CP Polls 1.0.8 Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}


Subscriptions

Dwbooster Cp Polls
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T21:59:06.922Z

Reserved: 2026-06-14T18:20:19.740Z

Link: CVE-2016-20067

cve-icon Vulnrichment

Updated: 2026-06-15T21:59:00.800Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:29.680

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)