Headline
CVE-2017-2127: WordPress plugin "YOP Poll" vulnerable to cross-site scripting
Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published:2017/03/23 Last Updated:2017/03/23
Overview
The WordPress plugin “YOP Poll” contains a cross-site scripting vulnerability.
Products Affected
- YOP Poll versions prior to 5.8.1
Description
The WordPress plugin “YOP Poll” contains a stored cross-site scripting (CWE-79) vulnerability.
Impact
An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N
Access Vector(AV)
Local (L)
Adjacent Network (A)
Network (N)
Access Complexity(AC)
High (H)
Medium (M)
Low (L)
Authentication(Au)
Multiple (M)
Single (S)
None (N)
Confidentiality Impact©
None (N)
Partial §
Complete ©
Integrity Impact(I)
None (N)
Partial §
Complete ©
Availability Impact(A)
None (N)
Partial §
Complete ©
Credit
Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information