CVE-2024-13602: 
WordPress vulnerability analysis and mitigation

The Poll Maker WordPress plugin before version 5.5.4 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in February 2025 and assigned CVE-2024-13602. The issue affects the plugin's settings functionality, specifically impacting WordPress installations with the Poll Maker plugin installed (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the Poll Maker plugin. This security flaw exists even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (CISA-ADP).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite WordPress installations where even administrators are typically restricted from using unfiltered HTML (WPScan).

The vulnerability has been patched in Poll Maker version 5.5.4. Users are advised to update to this version or later to mitigate the security risk (WPScan).