YOP Poll 5.7.3, Reflected XSS
The YOP Poll plugin exposes a number of AJAX requests to the public (see lines 15-40 in th efile yop-poll/inc/admin.php). An XSS vulnerability has been found in at least one of these functions – namely yop_poll_set_wordpress_vote. This function is available to both registered and non-registered users. The fields that are vulnerable are Base64 encoded (see lines 859 to 912 of yop-poll/inc/admin.php), meaning any attacks performed will bypass not only the auto-escaping on quotes performed by WordPress/PHP, but also any XSS-prevention methods implemented by browsers.
Update to version 5.7.4.
Proof of Concept
When the above URL is visited, an alert will be presented to the user. Note, the original value of the ‘poll_id’ field is ‘;alert(1);’, including single quotes.
- 2015-05-14: Discovered
- 2015-05-14: Vendor notified
- 2015-05-14: Vendor responded
- 2015-05-16: Vendor provided code for review – issue appears resolved in proposed update
- 2015-06-17: Vendor notified of pending email to WordPress Plugins team for plugin removal
- 2015-06-17: Vendor stated that release of update was delayed, but that an update has now been released
- 2015-06-24: Vendor queried over update – still seeing vulnerable version as most recent version
- 2015-06-24: Vendor responds that we’re mistaken – states 5.7.3 is patched
- 2015-06-25: Version 5.7.3 re-tested, and is confirmed as vulnerable to the original PoC. Update requested from vendor. One week given until notification of WordPress Plugins team due to lack of adequate response
- 2015-06-26: Vendor states that the issue will be looked in to – communication error between Development and Support
- 2015-06-29: Vendor states that version 5.7.4 is pending release
- 2015-07-01: Version 5.7.4 released – issue resolved
- 2015-07-08: Advisory released