CVE-2021-24454: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24454 affects the YOP Poll WordPress plugin versions before 6.2.8. This unauthenticated stored Cross-Site Scripting (XSS) vulnerability was discovered and publicly disclosed on June 17, 2021. The vulnerability specifically impacts installations where polls are created with specific options enabled: 'Allow other answers', 'Display other answers in the result list', and 'Show results' (WPScan).

The vulnerability stems from improper sanitization of user input in the 'Other' answer field when specific poll options are enabled. When these conditions are met, the plugin fails to properly sanitize the 'Other' answer before outputting it on the page. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79. The execution of any malicious payload depends on the 'Show results' option configuration, which can be set to trigger either before or after vote submission (WPScan).

When successfully exploited, this vulnerability allows attackers to inject and store malicious JavaScript code that executes when other users view the poll results. The stored nature of the XSS means that the malicious payload persists in the database and affects all subsequent users who view the poll results, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been patched in version 6.2.8 of the YOP Poll plugin. Website administrators running affected versions should immediately update to version 6.2.8 or later to mitigate this security risk (WPScan).