CVE-2019-25297

Vulnerability

Analysis

The Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress, versions prior to 19.6.25, contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input validation and output escaping on multiple parameters within the plugin's code, specifically in the opinionstage_login_content_callback() function which is accessible during admin_init even to unauthenticated users [1][2][3]. This allows arbitrary script injection that persists on the server and executes when a victim views an affected page [4].

Exploitation

An unauthenticated attacker can exploit this vulnerability without requiring any prior authentication or special privileges. The attack vector is network-based, leveraging the plugin's handling of user-supplied input that is stored and later rendered without proper sanitization. The plugin's insecure code design was noted as being probed by hackers shortly before disclosure, indicating active exploitation in the wild [2][3]. Exploitation does not require any user interaction beyond a victim administrator or user viewing the injected content on an affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the context of the victim's browser session. This can lead to session hijacking, defacement, credential theft, or redirection to malicious sites. The vulnerability is considered medium severity (CVSS 5.1) and is listed in the VulnCheck Known Exploited Vulnerabilities (KEV) catalog [4]. The stored nature of the XSS increases the potential reach, as any user visiting the affected page becomes a target.

Mitigation

The vulnerability was fixed in version 19.6.25 of the plugin. Users must update to this version or later to remediate the issue [3][4]. There are no known workarounds, and the plugin vendor has released a patch via the official WordPress plugin repository (changeset 2158590) [3]. Given evidence of active exploitation, immediate patching is strongly recommended.