LiquidPoll Plugin up to 3.3.78 on WordPress form_data cross site scripting

Summaryinfo

A vulnerability classified as problematic has been found in LiquidPoll Plugin up to 3.3.78 on WordPress. Affected by this issue is some unknown functionality. The manipulation of the argument form_data leads to cross site scripting. This vulnerability is traded as CVE-2024-7134. It is possible to initiate the attack remotely. There is no exploit available.

Detailsinfo

A vulnerability was found in LiquidPoll Plugin up to 3.3.78 on WordPress. It has been rated as problematic. This issue affects some unknown processing. The manipulation of the argument form_data with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:

The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘form_data’ parameter in all versions up to, and including, 3.3.78 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The advisory is shared at wordfence.com. The identification of this vulnerability is CVE-2024-7134 since 07/26/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• WordPress Plugin

Name

• LiquidPoll Plugin

Version

• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4
• 3.3.5
• 3.3.6
• 3.3.7
• 3.3.8
• 3.3.9
• 3.3.10
• 3.3.11
• 3.3.12
• 3.3.13
• 3.3.14
• 3.3.15
• 3.3.16
• 3.3.17
• 3.3.18
• 3.3.19
• 3.3.20
• 3.3.21
• 3.3.22
• 3.3.23
• 3.3.24
• 3.3.25
• 3.3.26
• 3.3.27
• 3.3.28
• 3.3.29
• 3.3.30
• 3.3.31
• 3.3.32
• 3.3.33
• 3.3.34
• 3.3.35
• 3.3.36
• 3.3.37
• 3.3.38
• 3.3.39
• 3.3.40
• 3.3.41
• 3.3.42
• 3.3.43
• 3.3.44
• 3.3.45
• 3.3.46
• 3.3.47
• 3.3.48
• 3.3.49
• 3.3.50
• 3.3.51
• 3.3.52
• 3.3.53
• 3.3.54
• 3.3.55
• 3.3.56
• 3.3.57
• 3.3.58
• 3.3.59
• 3.3.60
• 3.3.61
• 3.3.62
• 3.3.63
• 3.3.64
• 3.3.65
• 3.3.66
• 3.3.67
• 3.3.68
• 3.3.69
• 3.3.70
• 3.3.71
• 3.3.72
• 3.3.73
• 3.3.74
• 3.3.75
• 3.3.76
• 3.3.77
• 3.3.78

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion