What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll.This issue affects YOP Poll: from n/a through <= 6.5.37.
CVE-2025-62040
HIGH
CVE-2025-62040: WordPress YOP Poll plugin <= 6.5.37 - Cross Site Scripting (XSS) vulnerability
CVSS base score
7.1/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Explanation of Vulnerability in Simple Terms
02Summary
YOP Poll versions 6.5.37 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into poll pages. An attacker can craft a malicious link that, when visited by a site visitor, executes JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement of poll content.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in visitors' browsers when they view a crafted poll link.
Potential impact on your site
04Site Impact
Visitors to your polls may have their sessions hijacked, credentials stolen, or see malicious content injected into poll pages.
Conditions required to exploit
05Prerequisites
Attacker must trick a site visitor into clicking a malicious link (user interaction required); no authentication needed.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-23651 WordPress Scroll Top plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
CVE-2023-42009 IBM InfoSphere Information Server cross-site scripting
CVE-2025-1349 IBM Sterling B2B Integrator and IBM Sterling File Gateway cross-site scripting
CVE-2019-15619
CVE-2025-48922 GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078
