CVE-2025-12661

Vulnerability

Description The Pollcaster Shortcode Plugin for WordPress (versions up to and including 1.0) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on the 'height' parameter in the 'pollcaster' shortcode [1]. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages [1].

### Exploitation & Conditions To exploit this vulnerability, an attacker must be authenticated and have at least a contributor role on the WordPress site [1]. The attacker can craft a malicious payload within the 'height' attribute of the shortcode. When the shortcode is rendered, the unsanitized script is stored and executed in the context of any user visiting the affected page [1].

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of site visitors [1]. This could result in session hijacking, defacement, or redirection to malicious sites, potentially compromising user data and site integrity [1].

Mitigation

Status The plugin has been permanently closed as of November 18, 2025, and is no longer available for download from the WordPress plugin repository [1]. Users should remove the plugin from their sites and switch to an alternative solution to prevent potential attacks [1].