CVE-2024-13602 in Poll Maker Plugin
Summary
by MITRE • 03/16/2025
The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/09/2025
The Poll Maker WordPress plugin vulnerability CVE-2024-13602 represents a critical stored cross-site scripting flaw that affects versions prior to 5.5.4. This vulnerability specifically targets the plugin's handling of user settings and configuration data, creating a pathway for malicious actors to inject persistent malicious scripts into the WordPress environment. The flaw is particularly concerning because it operates even when standard security measures such as the unfiltered_html capability restriction are in place, which typically prevents unauthorized users from injecting raw HTML content. This weakness is especially dangerous in multisite WordPress installations where security policies are often more stringent and the attack surface is expanded.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the Poll Maker plugin's administrative interfaces. When high-privilege users such as administrators interact with the plugin's settings, the application fails to properly sanitize user-supplied data before storing it in the database. This insufficient sanitization process means that malicious scripts can be stored as part of the plugin configuration and subsequently executed whenever the affected settings are rendered in the WordPress admin interface or displayed on frontend pages. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a classic case of improper neutralization of input during web application development. The flaw exists at the intersection of data persistence and output rendering, where data enters the system through legitimate administrative functions but is not properly escaped when output occurs.
The operational impact of CVE-2024-13602 extends beyond simple script execution, as it can enable attackers to escalate privileges and compromise entire WordPress installations. When administrators view plugin settings or interact with poll-related functionality, the stored malicious scripts execute in their browser context, potentially allowing attackers to steal session cookies, perform actions on behalf of administrators, or redirect users to malicious sites. In multisite environments, this vulnerability becomes even more dangerous as it could affect multiple sites within the network, potentially enabling attackers to establish a foothold across the entire WordPress multisite infrastructure. The vulnerability's persistence means that even if the initial attack vector is closed, the stored malicious content continues to execute until the plugin is updated or the malicious data is manually removed, creating a long-term security risk that can be exploited repeatedly.
Mitigation strategies for this vulnerability require immediate plugin updates to version 5.5.4 or later, which contain the necessary sanitization and escaping fixes. System administrators should also implement additional defensive measures including regular security audits of installed plugins, monitoring for unauthorized changes to plugin settings, and ensuring that only trusted administrators have access to plugin configuration interfaces. The vulnerability demonstrates the importance of following secure coding practices as outlined in the OWASP Top Ten and the ATT&CK framework's application of privilege escalation techniques. Organizations should also consider implementing web application firewalls and content security policies to add additional layers of protection against similar vulnerabilities. Given the nature of stored XSS attacks, regular vulnerability scanning and penetration testing of WordPress installations are essential to identify and remediate similar issues before they can be exploited by malicious actors.