This vulnerability is a DOM‑based Cross‑Site Scripting flaw caused by improper neutralization of input during web page generation in the Ays Pro Poll Maker plugin. Because user input is reflected into the DOM without proper encoding, an attacker can inject malicious scripts that will execute in the browsers of victims who view the affected poll. The weakness is fundamentally an instance of improper input sanitization, captured by CWE‑79, and it offers attackers the ability to run arbitrary JavaScript in a victim’s context, potentially leading to credential theft, session hijacking, or site defacement. The impact is limited to client‑side code execution; it does not provide direct back‑end access or server‑side code execution.

The issue affects the Ays Pro Poll Maker WordPress plugin in all releases from the initial version through version 6.0.2 inclusive. Any WordPress installation that has this plugin installed and enabled is potentially vulnerable unless the plugin is upgraded to a version beyond 6.0.2.

The CVSS score of 6.5 reflects a moderate severity, indicating that while an attacker cannot directly alter server data, the XSS payload can have significant client‑side consequences. The EPSS score of less than 1% suggests that exploitation is unlikely at the moment; however, the flaw is open to exploitation by any attacker who can persuade a user to visit a crafted poll URL or by an automated approach on sites with many visitors. The vulnerability is not listed in CISA’s KEV catalog, meaning it has not been observed in widespread, actively exploited attacks to date. Based on the description, it is inferred that the attack vector is client‑side, requiring a victim’s browser to load the malicious poll page, and likely does not require authentication or elevated privileges on the server side. Attackers would typically create a poll containing JavaScript payloads or manipulate query parameters that the plugin reflects into the DOM.