CVE-2024-3600 in Poll Maker Plugin
Summary
by MITRE • 04/19/2024
The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/29/2025
The CVE-2024-3600 vulnerability affects the Poll Maker - Best WordPress Poll Plugin, a widely used WordPress plugin that enables site administrators to create polls and quizzes. This particular flaw represents a critical security weakness that undermines the integrity of WordPress installations by allowing unauthenticated attackers to inject malicious scripts into quiz content. The vulnerability stems from inadequate access controls and insufficient input validation mechanisms within the plugin's AJAX handling system, creating a pathway for persistent cross-site scripting attacks that can compromise user sessions and potentially lead to full system compromise.
The technical implementation of this vulnerability occurs through the ays_poll_maker_quick_start AJAX action which lacks proper capability checks, allowing unauthorized users to execute administrative functions without proper authentication. Additionally, the plugin fails to adequately escape and sanitize user inputs across all versions up to 5.1.8, creating multiple injection points where malicious code can be stored and executed. This combination of missing authorization checks and insufficient sanitization creates a persistent XSS vulnerability that can affect any user who views the compromised quiz content, making it particularly dangerous for sites with high user engagement or administrative access.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. When users visit pages containing the injected scripts, the malicious code executes in their browser context, potentially allowing attackers to steal cookies, redirect users to malicious sites, or even perform actions on behalf of authenticated users. This vulnerability particularly affects WordPress sites that rely on the Poll Maker plugin for user engagement features, as the stored nature of the XSS means that once a malicious script is injected, it will persist and affect all users who encounter the compromised content.
Security practitioners should immediately update to the latest plugin version to remediate this vulnerability, as no patches were available for versions prior to the fix. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for social engineering through malicious content injection. Organizations should implement additional monitoring for unusual AJAX requests and user-generated content modifications, while also considering network-level protections such as web application firewalls to detect and block malicious script injections. The remediation process should include thorough scanning of existing quiz content for potential malicious scripts and implementing proper input validation and output escaping mechanisms throughout the application's codebase to prevent similar vulnerabilities from occurring in the future.