Vulnerabilites related to Unknown - YOP Poll
CVE-2022-1600 (GCVE-0-2022-1600)
Vulnerability from cvelistv5
Published
2022-08-01 12:48
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.4.3",
"status": "affected",
"version": "6.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Ruf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T12:48:14",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.4.3 - IP Spoofing",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1600",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.4.3 - IP Spoofing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4.3",
"version_value": "6.4.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Daniel Ruf"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1600",
"datePublished": "2022-08-01T12:48:14",
"dateReserved": "2022-05-05T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0205 (GCVE-0-2022-0205)
Vulnerability from cvelistv5
Published
2022-03-07 08:16
Modified
2024-08-02 23:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/446de364-720e-41ec-b80e-7678c8f4ad80 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/446de364-720e-41ec-b80e-7678c8f4ad80"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Yoru Oni"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T08:16:23",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/446de364-720e-41ec-b80e-7678c8f4ad80"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.3.5 - Author+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0205",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.3.5 - Author+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3.5",
"version_value": "6.3.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Yoru Oni"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/446de364-720e-41ec-b80e-7678c8f4ad80",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/446de364-720e-41ec-b80e-7678c8f4ad80"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0205",
"datePublished": "2022-03-07T08:16:23",
"dateReserved": "2022-01-12T00:00:00",
"dateUpdated": "2024-08-02T23:18:42.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24454 (GCVE-0-2021-24454)
Vulnerability from cvelistv5
Published
2021-07-12 19:21
Modified
2024-08-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 | x_refsource_CONFIRM | |
| https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:18.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.2.8",
"status": "affected",
"version": "6.2.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Toby Jackson"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options \"Allow other answers\", \"Display other answers in the result list\" and \"Show results\", it can lead to Stored Cross-Site Scripting issues as the \u0027Other\u0027 answer is not sanitised before being output in the page. The execution of the XSS payload depends on the \u0027Show results\u0027 option selected, which could be before or after sending the vote for example."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T19:21:05",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "YOP Poll \u003c 6.2.8 - Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24454",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.2.8 - Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.2.8",
"version_value": "6.2.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Toby Jackson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options \"Allow other answers\", \"Display other answers in the result list\" and \"Show results\", it can lead to Stored Cross-Site Scripting issues as the \u0027Other\u0027 answer is not sanitised before being output in the page. The execution of the XSS payload depends on the \u0027Show results\u0027 option selected, which could be before or after sending the vote for example."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"name": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/",
"refsource": "MISC",
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24454",
"datePublished": "2021-07-12T19:21:05",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:18.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24834 (GCVE-0-2021-24834)
Vulnerability from cvelistv5
Published
2021-11-17 10:15
Modified
2024-08-03 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2605368 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf | x_refsource_MISC | |
| https://www.fortiguard.com/zeroday/FG-VD-21-053 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T10:15:47",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24834",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3.1",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2605368",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"name": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-053",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24834",
"datePublished": "2021-11-17T10:15:47",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24833 (GCVE-0-2021-24833)
Vulnerability from cvelistv5
Published
2021-11-17 10:15
Modified
2024-08-03 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34 | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2605368 | x_refsource_CONFIRM | |
| https://www.fortiguard.com/zeroday/FG-VD-21-052 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T10:15:46",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24833",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3.1",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605368",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-052",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24833",
"datePublished": "2021-11-17T10:15:46",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24885 (GCVE-0-2021-24885)
Vulnerability from cvelistv5
Published
2021-10-25 13:21
Modified
2024-08-03 19:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/d0b312f8-8b16-45be-b5e5-bf9d4b3e9b1e | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2227747/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:12.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d0b312f8-8b16-45be-b5e5-bf9d4b3e9b1e"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2227747/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.1.2",
"status": "affected",
"version": "6.1.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mastur Fatullah"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:21:01",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/d0b312f8-8b16-45be-b5e5-bf9d4b3e9b1e"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2227747/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.1.2 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24885",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.1.2 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.1.2",
"version_value": "6.1.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mastur Fatullah"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/d0b312f8-8b16-45be-b5e5-bf9d4b3e9b1e",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/d0b312f8-8b16-45be-b5e5-bf9d4b3e9b1e"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2227747/",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2227747/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24885",
"datePublished": "2021-10-25T13:21:01",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:49:12.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}