What the vulnerability does
01Description
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content.
Explanation of Vulnerability in Simple Terms
02Summary
CP Polls contains a cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject malicious scripts into poll content. The vulnerability requires user interaction—typically a victim clicking a crafted link. The injected script executes in the victim's browser and can modify page content or steal session data. Site administrators should update to a version newer than 1.0.8.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that executes in other users' browsers when they view a poll.
Potential impact on your site
04Site Impact
Authenticated users can deface polls, steal admin session cookies, or redirect visitors to malicious sites.
Conditions required to exploit
05Prerequisites
Attacker must be logged in with low-level privileges; victim must click a link or visit a page containing the payload.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated