WordPress Plugin YOP Polls 6.2.7 Exploit, Stored Cross Site Scripting (XSS)

# Exploit Title: WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: inspired - Toby Jackson
# Vendor Homepage: https://yop-poll.com/
# Blog Post: https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/
# Software Link: https://en-gb.wordpress.org/plugins/yop-poll/
# Version: Tested on version 6.2.7 (Older versions may be affected)
# Tested on: WordPress
# Category : Webapps

## I. Vulnerability

Stored Cross Site Scripting (XSS)

## II. Product Overview

The software allows users to quickly generate polls and voting systems for their blog posts without any need for programming knowledge. 

## III. Exploit 

When a poll is created that allows other answers and then the setting is enabled for displaying the other responses after submission, the other answer is not sanitized when displayed back to the user, showing an XSS vulnerability. It is, however, correctly sanitized when displaying the other choices on the initial vote page.

## IV. Vulnerable Code

The vulnerable code resides in the fact the results are echoed back to the user without any sanitization performed on the output. It also gets stored in the database as it's inserts.

## IV. Proof of Concept

- Create a new poll that allows other answers, with the results of the other answers being displayed after voting.
- Set the permissions to whoever you'd like to be able to vote.
- Place it on a blog post.
- Insert '<script>alert('xss')</script>' into the other box.
- Submit vote. The payload gets triggered when reflected back to users.
- Whenever a new user votes, they will also be affected by the payload.

## VI. Impact

An attacker can leave stored javascript payloads to be executed whenever a user votes and views the results screen. This could lead to them stealing cookies, logging keystrokes and even stealing passwords from autocomplete forms.

## VII. SYSTEMS AFFECTED

WordPress websites running "YOP Polls" plugin version 6.2.7 (older versions may also be affected).

## VIII. REMEDIATION

Update the plugin to v6.2.8.

## VIIII. DISCLOSURE TIMELINE
-------------------------
June 9, 2021 1: Vulnerability identified.
June 9, 2021 2: Informed developer of the vulnerability.
June 10, 2021 1: Vendor requested proof of concept.
June 10, 2021 2: Sent proof of concept and accompanying details.
June 14, 2021 1: Vendor emails to state the vulnerability has been fixed.
June 16, 2021 1: Confirmed fix, vendor happy to disclose the vulnerability.
June 17, 2021 1: Requested CVE Number.

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD