High severity7.1NVD Advisory· Published Jan 8, 2026· Updated Apr 15, 2026

CVE-2025-68889

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Pinpoll WordPress plugin up to 4.0.0 allows attackers to inject malicious scripts via crafted links.

Vulnerability

Description The Pinpoll plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. Versions up to and including 4.0.0 are affected [1].

Exploitation

Details The vulnerability is classified as reflected XSS, meaning it does not require authentication but does require user interaction. An attacker can craft a malicious link that, when clicked by a privileged user (such as an administrator), injects arbitrary JavaScript into the application. This can be used to perform actions on behalf of the victim or steal sensitive information [1].

Impact

Successful exploitation allows the attacker to execute malicious scripts in the context of the vulnerable site. This could lead to redirects, displaying advertisements, or injecting other HTML payloads that execute when visitors access the site. The CVSS score of 7.1 indicates a high severity, and the vulnerability is expected to be exploited in mass campaigns [1].

Mitigation

The vendor has not yet released a patch, but Patchstack provides a mitigation rule to block attacks until an official fix is available. Users are advised to update the plugin as soon as a patch is released, or contact their hosting provider for assistance [1].

References

Cross Site Scripting (XSS) in WordPress Pinpoll Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Pinpollinferred2 versions
<=4.0.0+ 1 more
- (no CPE)range: <=4.0.0
- (no CPE)range: <=4.0.0
Package: https://wordpress.org/plugins/pinpoll

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/pinpoll/vulnerability/wordpress-pinpoll-plugin-3-0-22-reflected-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000