Fortinet Discovers WordPress YOP Poll Plugin Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in WordPress YOP Poll Plugin.
WordPress YOP Poll is a versatile plugin with over 20,000 active installations. The plugin allows you to easily integrate a survey in your blog post/page and to manage the polls from within your WordPress dashboard.
The XSS vulnerability exists in the Admin preview module (version 6.3.0) where an user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability exists due to insufficient validation of create_yop_poll parameters.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.YOP.Poll.Plugin.CVE-2021-24833.XSS
Released Jul 29, 2021
Upgrade to the version 6.3.1 or above.
Timeline
Fortinet reported the vulnerability to YOP Poll Team on July 15, 2021.
YOP Poll Team confirmed the vulnerability on July 19, 2021.
YOP Poll Team fixed the vulnerability on September 26, 2021.