CVE-2024-3600

Name of the Vulnerable Software and Affected Versions The Poll Maker – Best WordPress Poll Plugin versions up to, and including, 5.1.8

Description The issue is related to Stored Cross-Site Scripting due to a missing capability check on the ays poll maker quick start AJAX action, as well as insufficient escaping and sanitization. This allows unauthenticated attackers to create quizzes and inject malicious web scripts into them, which execute when a user visits the page.

Recommendations For versions up to, and including, 5.1.8, update to a version that includes the necessary capability check and proper escaping and sanitization to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the ays poll maker quick start AJAX action to prevent unauthenticated attackers from exploiting the issue.