VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 20, 2019· Updated Aug 5, 2024

CVE-2017-18520

CVE-2017-18520

Description

The democracy-poll plugin before 5.4 for WordPress has XSS via update_l10n in admin/class.DemAdminInit.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization and output escaping in the update_l10n function allows stored XSS."

Attack vector

An attacker with admin-level access can inject arbitrary JavaScript via the `update_l10n` function in `admin/class.DemAdminInit.php` [ref_id=1]. The function does not properly sanitize or escape localization strings before saving or outputting them, allowing stored XSS. The attacker must have WordPress admin credentials to reach the localization settings page where the vulnerable input is processed.

Affected code

The vulnerability exists in `admin/class.DemAdminInit.php` in the `update_l10n` method. This file is part of the Democracy Poll plugin for WordPress, versions before 5.4.

What the fix does

The changelog for version 5.4 states "FIX: XSS vulnerability fix (security issue)" and "ADD: Nonce checks for all admin requests" [ref_id=1]. While the specific patch diff is not included in the bundle, the fix likely involves adding proper input sanitization and output escaping to the `update_l10n` method, along with nonce verification to prevent cross-site request forgery. No further technical details about the patch are available in the provided materials.

Preconditions

  • authAttacker must have WordPress admin-level credentials to access the localization settings page
  • configThe Democracy Poll plugin version must be before 5.4

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.