CVE-2025-50025

The CP Polls plugin for WordPress, versions n/a through 1.0.81, suffers from a stored cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation on the cp-polls component, which enables a privileged user (e.g., an author-level or higher role) to store malicious scripts within poll data [1].

Attackers with the required minimal privileges can inject arbitrary JavaScript, HTML, or other payloads into the plugin’s database. While the attack does require authentication and a privileged role, no additional user interaction is needed beyond the initial injection [1]. When other users—including site visitors—access pages that render the stored poll content, the malicious script executes in their browsers.

Successful exploitation allows an attacker to perform a wide range of client-side attacks: redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies or credentials, defacing pages, or performing actions on behalf of an administrator. This can compromise the affected site and its users without further authentication [1].

The vendor released version 1.0.82, which resolves the vulnerability by properly sanitizing output [1]. Users are strongly urged to update immediately. For those unable to update, a web application firewall can offer partial mitigation. The issue has a CVSS v3 base score of 5.9 (Medium) and is not currently listed on CISA’s Known Exploited Vulnerabilities catalog, though similar plugin XSS flaws are frequently targeted in mass-exploit campaigns [1].