What the vulnerability does
01Description
Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page.
Explanation of Vulnerability in Simple Terms
02Summary
The Poll, Survey & Quiz Maker Plugin by Opinion Stage contains a cross-site scripting (XSS) vulnerability in versions before 19.6.25. An authenticated user with low privileges can inject malicious scripts that execute in other users' browsers when they interact with polls or surveys. The vulnerability requires user interaction to trigger. Update to version 19.6.25 or later to fix this issue.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers when they view or interact with polls.
Potential impact on your site
04Site Impact
Authenticated users can inject scripts affecting other site visitors, potentially stealing session data or redirecting users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; victim must view the affected poll or survey.
Key dates
06Disclosure timeline
January 16, 2026
CVE published
January 16, 2026
Record updated