WP-Polls SQL Injection Vulnerability Leading to Stored Cross-Site Scripting

A SQL injection vulnerability has been identified in the WP-Polls plugin for WordPress, affecting all versions through 2.77.2. The vulnerability arises from inadequate escaping of user-supplied data in SQL queries, allowing unauthenticated attackers to inject additional SQL commands. While the injected SQL queries cannot be used to extract database information, a carefully crafted payload can introduce malicious JavaScript that is stored and executed later, resulting in a stored cross-site scripting vulnerability.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate the database. In this case, it specifically enables the injection of malicious JavaScript that is executed in the context of the user.

Reproduction

The vulnerability can be reproduced by sending a request with a crafted COOKIE header that exploits the SQL injection flaw. This can be done using a tool like Burp Suite or by manually crafting the HTTP request to include the malicious SQL injection payload in the COOKIE header. Once the payload is injected, the malicious JavaScript can be executed by accessing the appropriate poll log, where the injected script will run.

Remediation

Users are advised to update the WP-Polls plugin to version 2.77.3 or later, where this vulnerability has been patched.