When adding a new poll, paste a malicious script in the question fields and then press Preview. The script will run. The preview option is available for the editor & administrator role, which makes these roles vulnerable to XSS attacks.

Proof of concept

Proof of concept will be posted later, to give users the time to update.

Plugin details

Plugin name: CM Pop-Up banners for WordPress Plugin
Plugin Author: YOP Poll


  • Wednesday, april 8th 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified.
  • Wednesday, April 22nd 2020: Vulnerability fixed by plugin author in version 6.1.5
  • Friday, april 24th 2020: Vulnerability posted to

Geschreven door:

Jeroen Mulder

Jeroen kookt, hackt en beklimt bergen.