When adding a new poll, paste a malicious script in the question fields and then press Preview. The script will run. The preview option is available for the editor & administrator role, which makes these roles vulnerable to XSS attacks.
Proof of concept
Proof of concept will be posted later, to give users the time to update.
- Wednesday, april 8th 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified.
- Wednesday, April 22nd 2020: Vulnerability fixed by plugin author in version 6.1.5
- Friday, april 24th 2020: Vulnerability posted to wpvulndb.com