CVE-2019-25297 in Poll
Summary
by MITRE • 01/16/2026
Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The CVE-2019-25297 vulnerability affects the Poll Survey & Quiz Maker WordPress plugin developed by Opinion Stage, specifically targeting versions prior to 19.6.25. This security flaw represents a critical stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into the plugin's content handling mechanisms. The vulnerability stems from inadequate input validation and insufficient output escaping practices within the plugin's codebase, creating a persistent security risk that can affect all users of the affected WordPress installations.
The technical implementation of this vulnerability occurs through multiple parameters within the plugin's functionality that process user input without proper sanitization. When users create polls, surveys, or quizzes, the plugin fails to adequately validate or escape user-supplied data before storing it in the database. This stored data is then served back to other users without proper output encoding, creating the conditions for XSS attacks to execute in the victim's browser context. The vulnerability is particularly dangerous because it operates without requiring authentication, meaning any user can exploit it regardless of their access level or privileges within the WordPress environment.
From an operational impact perspective, this vulnerability presents significant risks to WordPress site administrators and end users alike. Attackers can leverage this flaw to execute malicious scripts that may steal session cookies, redirect users to phishing sites, or perform unauthorized actions on behalf of victims. The stored nature of the vulnerability means that once exploited, the malicious code persists and affects all subsequent visitors to the affected pages until the plugin is updated or the malicious content is manually removed. This creates a persistent threat vector that can compromise user data, hijack sessions, and potentially lead to complete site takeover scenarios.
Security professionals should note that this vulnerability aligns with CWE-79, which describes cross-site scripting flaws in software applications. The ATT&CK framework categorizes this as a technique for code injection, specifically falling under the T1059.007 sub-technique for scripting languages. The vulnerability demonstrates poor input validation practices that violate fundamental security principles and represents a common weakness in web application development. Organizations should immediately update to version 19.6.25 or later to remediate this issue, as the patch addresses the core input validation and output escaping deficiencies that enable the XSS attack vector. Additionally, administrators should implement proper security monitoring and input sanitization measures to detect and prevent similar vulnerabilities in other custom plugins or themes within their WordPress environments.