CVE-2016-20066
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
WordPress CP Polls version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers, enabling arbitrary JavaScript execution in the browsers of users viewing the affected content.
Risk Assessment
This vulnerability poses a risk of executing malicious code in users' browsers, potentially leading to data theft or session hijacking. Organizations using this plugin are exposed to attacks that could impact their reputation and data security.
Recommendation
It is recommended to update the CP Polls plugin to the latest version that addresses this vulnerability. Additionally, implementing file upload filtering and validation mechanisms is advisable to minimize the risk of XSS attacks.
Original NVD description (English source)
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content.

