PACKETSTORM 6.1 MEDIUM

📄 WP-Polls 2.73 Cross Site Scripting_PACKETSTORM:214740

February 2, 2026 invoker category_exploit
6.1 / 10
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

A cross site scripting vulnerability exists in WP-Polls WordPress Plugin version 2.73. This issue is older research added to the archive...
Visit Original Source

Basic Information

ID PACKETSTORM:214740
Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions WP-Polls 2.73 - Reflected Cross-site Scripting
Advisory ID: RO-16-005
CVE ID: CVE-2016-10936
Severity: Medium
Vendor: WordPress
Product: WP-Polls
Version: 2.73


Overview #

A Reflected Cross-site Scripting (XSS) vulnerability exists in WP-Polls WordPress Plugin version 2.73.


Vulnerability Details #

Affected Versions: 2.73 and earlier

CVE: CVE-2016-10936

Root Cause: Insufficient input validation in the poll options page.
Technical Details #

Vulnerable URL: /wp-admin/admin.php?page=wp-polls/polls-options.php

Vulnerable Parameter (POST): poll_bar_style

Attack Pattern:

'" onmouseover=alert(0x000C5A)



Exploitation Requirements #

Admin authentication required
Victim must interact with the malicious element

Impact #

Remote attackers can exploit this vulnerability to:

Steal admin session cookies
Perform administrative actions
Modify poll settings



Solution #

Update to the latest version of WP-Polls. See changelog.


References #

Invicti Advisory NS-16-009

Timeline:

[2016-06-28] - First Contact
[2016-06-29] - Vendor Replied
[2016-07-29] - Advisory Released

Credits: Omar Kurt

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.