CVE-2024-8851: 
WordPress vulnerability analysis and mitigation

The Polls CP WordPress plugin versions before 1.0.77 contains a security vulnerability identified as CVE-2024-8851. The vulnerability was discovered and publicly disclosed on September 1, 2024. The issue stems from improper sanitization and escaping of poll settings, specifically affecting WordPress installations using the Polls CP plugin (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The security flaw exists in the poll settings functionality, particularly in the vote button settings, where certain input fields are not properly sanitized or escaped (WPScan, Wiz).

This vulnerability enables high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multi-site setups. The impact is particularly concerning in environments where multiple administrators have access to the plugin settings (WPScan).

The vulnerability has been patched in version 1.0.77 of the Polls CP plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).