2 results (0.002 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

Authenticated (admin+) Cross-Site Scripting (XSS) vulnerability in wpdevart Poll, Survey, Questionnaire and Voting system plugin <= 1.7.4 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) en el plugin wpdevart Poll, Survey, Questionnaire and Voting system versiones anteriores a 1.7.4 incluyéndola en WordPress. The Poll, Survey, Questionnaire and Voting system plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/polls-widget/wordpress-poll-survey-questionnaire-and-voting-system-plugin-1-7-4-authenticated-cross-site-scripting-xss-vulnerability/_s_id=cve https://wordpress.org/plugins/polls-widget • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 19%CPEs: 1EXPL: 2

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks El plugin Poll, Survey, Questionnaire and Voting system de WordPress, versiones anteriores a 1.5.3 no saneaba, escapaba o comprobaba el parámetro POST date_answers[] antes de usarlo en una sentencia SQL cuando se envía el resultado de una encuesta, permitiendo a usuarios no autenticados llevar a cabo ataques de inyección SQL • https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a https://www.in-spired.xyz/wpdevart-polls-blind-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •