CVE-2016-20067 in CP Polls Plugin
Summary
by MITRE • 06/15/2026
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/15/2026
This cross-site request forgery vulnerability in WordPress CP Polls version 1.0.8 represents a critical security flaw that undermines the integrity of authenticated user sessions. The vulnerability stems from the plugin's failure to implement proper anti-forgery token validation mechanisms, allowing malicious actors to exploit the trust relationship between the web application and authenticated users. When administrators navigate to compromised web pages, the maliciously crafted HTML code can automatically submit requests to the vulnerable plugin's endpoints without their knowledge or consent. This weakness falls under the common weakness enumeration CWE-352 which specifically addresses cross-site request forgery vulnerabilities where applications fail to validate the origin of requests. The attack vector leverages the principle that authenticated sessions are trusted by the application, making it possible for attackers to perform unauthorized operations such as creating, modifying, or deleting poll content through carefully constructed malicious payloads. The operational impact extends beyond simple data manipulation as administrators may unknowingly execute actions that could compromise poll integrity, manipulate voting results, or even gain elevated privileges within the plugin's administrative interface. The vulnerability aligns with ATT&CK technique T1566.002 which describes the exploitation of web applications through forged requests, making it particularly dangerous in environments where administrators frequently browse untrusted websites or are exposed to social engineering attacks. The lack of proper request validation and token verification creates a persistent threat surface that remains active as long as the vulnerable plugin remains installed and active on the WordPress installation. Organizations using this plugin face significant risk of unauthorized poll modifications, potential data corruption, and compromised user trust in the polling system. The vulnerability demonstrates a fundamental flaw in the plugin's security architecture where session trust is not properly validated against expected request parameters, creating an attack surface that can be exploited through simple HTML page construction. This weakness directly violates security best practices outlined in the OWASP Top Ten and represents a critical failure in the principle of least privilege where authenticated users can be tricked into performing actions they did not intend to execute. The attack scenario becomes particularly concerning when considering that administrators often have elevated privileges and may be browsing the internet without security awareness of the potential risks. The vulnerability creates opportunities for attackers to manipulate poll data, potentially affecting the integrity of important voting mechanisms, and could be combined with other attacks to escalate privileges or gain further access to the WordPress system. Security professionals should consider this vulnerability as part of a broader assessment of the WordPress environment's overall security posture and implement immediate mitigations while planning for plugin updates or replacements. The absence of proper CSRF protection in this plugin highlights the importance of thorough security reviews for all third-party components and demonstrates how seemingly simple vulnerabilities can create significant risks in web applications. Organizations should prioritize patching or removing the vulnerable plugin until proper CSRF protection measures are implemented, as the risk of exploitation remains high given the ease with which attackers can craft malicious pages that leverage the trust relationship between authenticated users and the web application.