CVE-2016-20067
Description
WordPress CP Polls 1.0.8 lacks CSRF protection, allowing attackers to perform unauthorized poll operations on behalf of an authenticated administrator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress CP Polls 1.0.8 lacks CSRF protection, allowing attackers to perform unauthorized poll operations on behalf of an authenticated administrator.
Vulnerability
WordPress CP Polls plugin version 1.0.8 contains a cross-site request forgery (CSRF) vulnerability. The plugin does not implement anti-CSRF tokens for administrative actions, specifically when updating poll settings via the options-general.php?page=CP_Polls&cal=1 endpoint. This allows an attacker to craft a malicious HTML page that, when visited by a logged-in administrator, will execute unwanted poll operations, such as modifying poll options or injecting persistent cross-site scripting (XSS) payloads. The vulnerability affects all installations using CP Polls 1.0.8 [1][2].
Exploitation
An attacker must first identify a valid poll ID (visible in the page source as a hidden CP_Polls_id field) [1]. The attacker then crafts a malicious HTML page containing a cross-site request forgery payload that targets the vulnerable endpoint. The attacker lures a logged-in WordPress administrator to visit this crafted page via social engineering (e.g., phishing email, malicious link). Once the administrator’s browser loads the page, the forged request is automatically sent with the administrator’s session cookies, leading to execution of the poll update without the victim’s consent. Because the request is a POST with CSRF-able parameters, no additional authentication or interaction is required beyond the initial visit [1][2].
Impact
A successful exploitation allows the attacker to arbitrarily modify poll settings (e.g., questions, answers, display options) and, due to the concurrent persistent XSS vulnerability from unsanitized option values, inject malicious scripts into the poll pages [1]. This can lead to data tampering, defacement, or further XSS attacks against other visitors who view the affected poll. The attacker acts with the privileges of the compromised administrator, enabling full manipulation of the CP Polls plugin functionality. The CVSS v3.1 score of 4.3 reflects the medium severity, requiring user interaction and authenticated access [2].
Mitigation
As of the published references, no official patch has been released for CP Polls 1.0.8 to address this CSRF vulnerability [1][2]. Users are advised to upgrade to later versions of the CP Polls plugin if available, or disable the plugin until a patched version is released. Administrators should be cautious when clicking links from untrusted sources and consider using plugins that enforce a nonce-based CSRF protection mechanism on admin pages. The plugin is no longer actively maintained, so migrating to an alternative polling solution is recommended.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection and insufficient input sanitization in the CP Polls plugin allow attackers to forge requests and inject persistent XSS payloads."
Attack vector
An attacker crafts a malicious HTML page that, when visited by an authenticated WordPress administrator, silently submits a forged POST request to the CP Polls settings page [ref_id=1]. Because the plugin lacks CSRF tokens, the request is processed as if the administrator intended it. The attacker can then inject persistent JavaScript into poll option fields (e.g., `poll_text_seeres`, `vs_text_submitbtn`, `vs_text_enter_valid_captcha`) or change the poll name to `malicious.bat;` to turn a downloaded CSV report into an executable `.bat` file [ref_id=1]. Additionally, a CSV import endpoint can be abused to upload a crafted CSV containing XSS payloads, which are stored and executed when the poll data is viewed [ref_id=1].
Affected code
The CP Polls plugin for WordPress (version 1.0.8) lacks CSRF protection on the poll settings update page (`wp-admin/options-general.php?page=CP_Polls&cal=1`), the poll name change action, and the CSV import functionality (`wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1`). The plugin also fails to sanitize poll option values, poll names, and CSV import data before saving them to the database.
What the fix does
The advisory does not include a patch diff, but the vendor released version 1.0.9 on 2016-03-01 to address these issues [ref_id=1]. The fix would need to add CSRF nonce checks to all administrative actions (settings update, poll name change, CSV import), sanitize poll option fields and CSV import data before storage, and restrict the poll name to prevent injection of the semicolon character that breaks the Content-Disposition header.
Preconditions
- inputAttacker must craft a malicious HTML page that submits a forged POST request to the CP Polls admin endpoints.
- authVictim must be an authenticated WordPress administrator.
- networkVictim must visit the attacker's malicious page while logged into WordPress.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.