Vulnerabilites related to yop-poll - yop_poll
CVE-2022-1600 (GCVE-0-2022-1600)
Vulnerability from cvelistv5
Published
2022-08-01 12:48
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.4.3",
"status": "affected",
"version": "6.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Ruf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T12:48:14",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.4.3 - IP Spoofing",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1600",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.4.3 - IP Spoofing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4.3",
"version_value": "6.4.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Daniel Ruf"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1600",
"datePublished": "2022-08-01T12:48:14",
"dateReserved": "2022-05-05T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6109 (GCVE-0-2023-6109)
Vulnerability from cvelistv5
Published
2023-11-14 06:39
Modified
2025-01-08 16:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. This is due to improper restrictions on the add() function. This makes it possible for unauthenticated attackers to place multiple votes on a single poll even when the poll is set to one vote per person.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yourownprogrammer | YOP Poll |
Version: * ≤ 6.5.26 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.742Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2959124/yop-poll/trunk/admin/models/votes.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:04:13.918034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T16:42:50.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YOP Poll",
"vendor": "yourownprogrammer",
"versions": [
{
"lessThanOrEqual": "6.5.26",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RIN MIYACHI"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. This is due to improper restrictions on the add() function. This makes it possible for unauthenticated attackers to place multiple votes on a single poll even when the poll is set to one vote per person."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T06:39:41.417Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2959124/yop-poll/trunk/admin/models/votes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-13T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6109",
"datePublished": "2023-11-14T06:39:41.417Z",
"dateReserved": "2023-11-13T17:45:44.490Z",
"dateUpdated": "2025-01-08T16:42:50.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24454 (GCVE-0-2021-24454)
Vulnerability from cvelistv5
Published
2021-07-12 19:21
Modified
2024-08-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 | x_refsource_CONFIRM | |
| https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:18.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.2.8",
"status": "affected",
"version": "6.2.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Toby Jackson"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options \"Allow other answers\", \"Display other answers in the result list\" and \"Show results\", it can lead to Stored Cross-Site Scripting issues as the \u0027Other\u0027 answer is not sanitised before being output in the page. The execution of the XSS payload depends on the \u0027Show results\u0027 option selected, which could be before or after sending the vote for example."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T19:21:05",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "YOP Poll \u003c 6.2.8 - Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24454",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.2.8 - Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.2.8",
"version_value": "6.2.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Toby Jackson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options \"Allow other answers\", \"Display other answers in the result list\" and \"Show results\", it can lead to Stored Cross-Site Scripting issues as the \u0027Other\u0027 answer is not sanitised before being output in the page. The execution of the XSS payload depends on the \u0027Show results\u0027 option selected, which could be before or after sending the vote for example."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"name": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/",
"refsource": "MISC",
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24454",
"datePublished": "2021-07-12T19:21:05",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:18.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24834 (GCVE-0-2021-24834)
Vulnerability from cvelistv5
Published
2021-11-17 10:15
Modified
2024-08-03 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/2605368 | x_refsource_CONFIRM | |
| https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf | x_refsource_MISC | |
| https://www.fortiguard.com/zeroday/FG-VD-21-053 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T10:15:47",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24834",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3.1",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/2605368",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"name": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-053",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24834",
"datePublished": "2021-11-17T10:15:47",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24833 (GCVE-0-2021-24833)
Vulnerability from cvelistv5
Published
2021-11-17 10:15
Modified
2024-08-03 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34 | x_refsource_MISC | |
| https://plugins.trac.wordpress.org/changeset/2605368 | x_refsource_CONFIRM | |
| https://www.fortiguard.com/zeroday/FG-VD-21-052 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T10:15:46",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24833",
"STATE": "PUBLIC",
"TITLE": "YOP Poll \u003c 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3.1",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2605368",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-052",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24833",
"datePublished": "2021-11-17T10:15:46",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:42:17.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-2127 (GCVE-0-2017-2127)
Vulnerability from cvelistv5
Published
2017-04-28 16:00
Modified
2024-08-05 13:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN55294532/index.html | third-party-advisory, x_refsource_JVN | |
| http://www.securityfocus.com/bid/97118 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:39:32.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#55294532",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN55294532/index.html"
},
{
"name": "97118",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97118"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "YOP Poll",
"vendor": "YOP",
"versions": [
{
"status": "affected",
"version": "versions prior to 5.8.1"
}
]
}
],
"datePublic": "2017-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-01T09:57:02",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#55294532",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN55294532/index.html"
},
{
"name": "97118",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97118"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-2127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YOP Poll",
"version": {
"version_data": [
{
"version_value": "versions prior to 5.8.1"
}
]
}
}
]
},
"vendor_name": "YOP"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#55294532",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN55294532/index.html"
},
{
"name": "97118",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97118"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-2127",
"datePublished": "2017-04-28T16:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T13:39:32.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-11-17 11:15
Modified
2024-11-21 05:53
Severity ?
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://plugins.trac.wordpress.org/changeset/2605368 | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34 | Third Party Advisory | |
| contact@wpscan.com | https://www.fortiguard.com/zeroday/FG-VD-21-052 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/2605368 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.fortiguard.com/zeroday/FG-VD-21-052 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "87834720-D115-4676-B2CD-E2DE6B7EE8DF",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module."
},
{
"lang": "es",
"value": "El plugin YOP Poll de WordPress versiones anteriores a 6.3.1, est\u00e1 afectado por una vulnerabilidad de tipo Cross-Site Scripting almacenada, que es presentado en el m\u00f3dulo de vista previa de administraci\u00f3n, donde un usuario con un rol tan bajo como el de autor puede ejecutar c\u00f3digo de script arbitrario dentro del contexto de la aplicaci\u00f3n. Esta vulnerabilidad es debido a una comprobaci\u00f3n insuficiente de los par\u00e1metros de texto de las preguntas y respuestas en el m\u00f3dulo Create Poll"
}
],
"id": "CVE-2021-24833",
"lastModified": "2024-11-21T05:53:51.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T11:15:08.103",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7cb39087-fbab-463d-9592-003e3fca6d34"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-052"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-28 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | http://jvn.jp/en/jp/JVN55294532/index.html | Third Party Advisory, VDB Entry | |
| vultures@jpcert.or.jp | http://www.securityfocus.com/bid/97118 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jvn.jp/en/jp/JVN55294532/index.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97118 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E274C90C-D1CF-4687-9020-D66AA34C3562",
"versionEndIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting en YOP Poll versiones anteriores a 5.8.1 permite a los atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2017-2127",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-28T16:59:01.450",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN55294532/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN55294532/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97118"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-12 20:15
Modified
2024-11-21 05:53
Severity ?
Summary
In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 | Exploit, Third Party Advisory | |
| contact@wpscan.com | https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "885C6414-0549-4260-8A0B-7758CE9AD39E",
"versionEndExcluding": "6.2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options \"Allow other answers\", \"Display other answers in the result list\" and \"Show results\", it can lead to Stored Cross-Site Scripting issues as the \u0027Other\u0027 answer is not sanitised before being output in the page. The execution of the XSS payload depends on the \u0027Show results\u0027 option selected, which could be before or after sending the vote for example."
},
{
"lang": "es",
"value": "En el plugin YOP Poll de WordPress versiones anteriores a 6.2.8, cuando es creado un pool con las opciones \"Allow other answers\", \"Display other answers in the result list\" y \"Show results\", puede conllevar a problemas de tipo Cross-Site Scripting Almacenado ya que la respuesta \"Other\" no es saneado antes de salir en la p\u00e1gina. una ejecuci\u00f3n de la carga \u00fatil XSS depende de la opci\u00f3n \"Show results\" seleccionada, que podr\u00eda ser antes o despu\u00e9s de enviar el voto, por ejemplo"
}
],
"id": "CVE-2021-24454",
"lastModified": "2024-11-21T05:53:06.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-12T20:15:09.850",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/48ade7a5-5abb-4267-b9b6-13e31e1b3e91"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-14 07:15
Modified
2024-11-21 08:43
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. This is due to improper restrictions on the add() function. This makes it possible for unauthenticated attackers to place multiple votes on a single poll even when the poll is set to one vote per person.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "811063FD-6D52-4C8F-B4ED-3DBAD740A052",
"versionEndIncluding": "6.5.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 6.5.26. This is due to improper restrictions on the add() function. This makes it possible for unauthenticated attackers to place multiple votes on a single poll even when the poll is set to one vote per person."
},
{
"lang": "es",
"value": "El complemento YOP Poll para WordPress es vulnerable a una condici\u00f3n de ejecuci\u00f3n en todas las versiones hasta la 6.5.26 incluida. Esto se debe a restricciones inadecuadas en la funci\u00f3n add(). Esto hace posible que atacantes no autenticados coloquen m\u00faltiples votos en una sola encuesta, incluso cuando la encuesta est\u00e1 configurada para un voto por persona."
}
],
"id": "CVE-2023-6109",
"lastModified": "2024-11-21T08:43:08.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-14T07:15:07.333",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2959124/yop-poll/trunk/admin/models/votes.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2959124/yop-poll/trunk/admin/models/votes.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-01 13:15
Modified
2024-11-21 06:41
Severity ?
Summary
The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "92DD0993-7BE1-4BDF-AA45-6214F80F8476",
"versionEndExcluding": "6.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations."
},
{
"lang": "es",
"value": "El plugin YOP Poll de WordPress versiones anteriores a 6.4.3, prioriza la obtenci\u00f3n de la IP de un visitante a partir de determinados encabezados HTTP sobre REMOTE_ADDR de PHP, lo que hace posible saltarse las limitaciones basadas en la IP para votar en determinadas situaciones"
}
],
"id": "CVE-2022-1600",
"lastModified": "2024-11-21T06:41:03.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-01T13:15:09.933",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-17 11:15
Modified
2024-11-21 05:53
Severity ?
Summary
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://plugins.trac.wordpress.org/changeset/2605368 | Patch, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf | Third Party Advisory | |
| contact@wpscan.com | https://www.fortiguard.com/zeroday/FG-VD-21-053 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/2605368 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.fortiguard.com/zeroday/FG-VD-21-053 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yop-poll:yop_poll:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "87834720-D115-4676-B2CD-E2DE6B7EE8DF",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label."
},
{
"lang": "es",
"value": "El plugin YOP Poll de WordPress versiones anteriores a 6.3.1, est\u00e1 afectado por una vulnerabilidad de tipo Cross-Site Scripting almacenada que se presenta en el m\u00f3dulo Create Poll - Options donde un usuario con un rol tan bajo como el de autor puede ejecutar c\u00f3digo script arbitrario dentro del contexto de la aplicaci\u00f3n. Esta vulnerabilidad es debido a que no se comprueban suficientemente los par\u00e1metros de las etiquetas personalizadas: la etiqueta del bot\u00f3n de votaci\u00f3n, la etiqueta del enlace de resultados y la etiqueta del t\u00edtulo de vuelta a la votaci\u00f3n"
}
],
"id": "CVE-2021-24834",
"lastModified": "2024-11-21T05:53:51.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T11:15:08.160",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2605368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/72f58b14-e5cb-4f1c-a16f-621238c6ebbf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-053"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}