The CP Polls plugin for WordPress contains a stored cross‑site scripting flaw that occurs because user‑supplied content is not properly sanitized before being rendered. This allows an attacker who can inject malicious scripts into the plugin’s data fields to have those scripts executed in the browsers of any user who views the affected content, potentially leading to session hijacking, credential theft, or other client‑side compromises. This vulnerability corresponds to CWE‑79: Improper Neutralization of Input During Web Page Generation.

It affects installations of the codepeople CP Polls plugin with version numbers up to and including 1.0.81. All WordPress sites running the plugin in this range are vulnerable. No other versions or plugins are reported to be affected.

The vulnerability has a CVSS score of 5.9, indicating a moderate to high risk for attackers who can reach the affected pages. The EPSS score is less than 1%, meaning exploitation is currently unlikely but not impossible. The issue is not listed in the CISA KEV catalog. An attacker needs only to supply malicious input via the plugin’s stored fields and entice a legitimate user to view the compromised content; no elevated privileges or network access beyond the ability to input data into the plugin are required.