The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Configurations
History
28 May 2025, 18:42
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:free:wordpress:*:* | |
| First Time |
Ays-pro poll Maker
Ays-pro |
|
| References | () https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-polls-list-table.php#L244 - Product | |
| References | () https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-polls-list-table.php#L255 - Product | |
| References | () https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-polls-list-table.php#L362 - Product | |
| References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6434fb-390d-439d-bf3e-9afe8644fd58?source=cve - Third Party Advisory |
Information
Published : 2024-10-26 03:15
Updated : 2025-05-28 18:42
NVD link : CVE-2024-9462
Mitre link : CVE-2024-9462
CVE.ORG link : CVE-2024-9462
JSON object : View
Products Affected
ays-pro
- poll_maker
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')