VYPR
← All advisories
High severity7.2NVD Advisory· Published Jun 15, 2026

CVE-2016-20066

CVE-2016-20066

Description

WordPress CP Polls 1.0.8 stores unsanitized file uploads, enabling persistent XSS via crafted scripts with event handlers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress CP Polls 1.0.8 stores unsanitized file uploads, enabling persistent XSS via crafted scripts with event handlers.

Vulnerability

WordPress CP Polls plugin version 1.0.8 (and possibly earlier versions) contains a persistent cross-site scripting (XSS) vulnerability [1]. The plugin fails to properly sanitize values from file uploads before storing them in the database. This allows an attacker to upload a file containing malicious script payloads with event handlers, such as onerror, that will execute arbitrary JavaScript in the browser of any user viewing the affected poll content.

Exploitation

An attacker can exploit this vulnerability by first uploading a file with a crafted script payload via the poll's file upload functionality [1][2]. Successful exploitation may require a privileged user (e.g., an administrator) to perform an action, such as clicking a malicious link that triggers a cross-site request forgery (CSRF) attack [1]. The attacker does not need direct authentication; they can use CSRF to trick the administrator into uploading the malicious file or otherwise saving the unsanitized payload. The script executes when a victim views the page containing the uploaded file.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session [1][2]. Since the XSS is persistent, every user who visits the affected poll page will execute the injected script. Depending on the victim's privileges, this can result in session hijacking, defacement, or theft of sensitive data. The attacker does not gain direct server-level access but can perform any action that the victim user can within the WordPress admin panel.

Mitigation

As of the vulnerability disclosure (2016-02-22), the affected version CP Polls 1.0.8 is the latest. The vendor (dwbooster) has not released a security update to address this issue [1]. Users are advised to disable or remove the plugin until a fix is available, or to implement a web application firewall rule that blocks malicious file uploads. No CISA KEV listing is known.

References
  1. OffSec’s Exploit Database Archive
  2. WordPress CP Polls 1.0.8 Persistent Cross-Site Scripting

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in CSV file import and poll settings fields allows injection of arbitrary HTML and JavaScript."

Attack vector

An attacker can craft a malicious CSV file containing JavaScript payloads in event handlers such as `<img src=x onerror=alert('You_are_owned!')>` and upload it via the import functionality. Because there is no CSRF protection on this action, the attacker can also chain this with a CSRF attack by sending a crafted HTML page to an administrator; if the administrator visits the page while authenticated, the malicious CSV is imported silently [ref_id=1]. Once imported, the injected script executes in the browsers of any user viewing the affected poll data, leading to persistent cross-site scripting.

Affected code

The CP Polls plugin for WordPress (version 1.0.8) fails to sanitize values before saving them to the database, and the CSV import functionality does not sanitize uploaded file contents. The import endpoint at `wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1` accepts a `importfile` parameter without proper validation [ref_id=1].

What the fix does

The advisory states that version 1.0.9 was released on 2016-03-01 to address these issues [ref_id=1]. The patch does not show the exact code changes, but the fix would need to sanitize all user-supplied values before saving them to the database and validate/escape the contents of imported CSV files to prevent HTML/JavaScript injection. Additionally, CSRF tokens should be added to the import and settings endpoints to prevent cross-site request forgery.

Preconditions

  • configThe target site must be running WordPress with CP Polls plugin version 1.0.8
  • inputAn attacker must be able to upload a crafted CSV file via the import functionality, or trick an authenticated administrator into visiting a malicious CSRF page
  • authThe administrator must be logged into WordPress when the CSRF attack is executed

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.