CVE Catalog

CVE-2016-20066

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

WordPress CP Polls version 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers, enabling arbitrary JavaScript execution in the browsers of users viewing the affected content.

Risk Assessment

This vulnerability poses a risk of executing malicious code in users' browsers, potentially leading to data theft or session hijacking. Organizations using this plugin are exposed to attacks that could impact their reputation and data security.

Recommendation

It is recommended to update the CP Polls plugin to the latest version that addresses this vulnerability. Additionally, implementing file upload filtering and validation mechanisms is advisable to minimize the risk of XSS attacks.

Original NVD description (English source)

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS