CVE-2024-56277: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2024-56277) is an Improper Encoding or Escaping of Output vulnerability affecting Poll Maker Team's Poll Maker WordPress plugin versions prior to 5.5.5. The vulnerability was discovered by Muhammad Zidan Ali Mansur and was disclosed on January 3, 2025 (Patchstack).

The vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output) and has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can impact integrity while having no effect on confidentiality or availability (Patchstack).

The vulnerability could allow a malicious actor to perform HTML injection attacks, potentially enabling them to inject their own content into pages and posts of the affected website. This could be exploited for various purposes, including the injection of phishing pages into the website (Patchstack).

The vulnerability has been fixed in version 5.5.5 of the Poll Maker plugin. Users are advised to update to version 5.5.5 or later to remediate the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).