CVE-2024-8854: 
WordPress vulnerability analysis and mitigation

The Polls CP WordPress plugin before version 1.0.77 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-8854. The vulnerability was discovered in the poll settings functionality where insufficient sanitization and escaping of input allows high-privilege users such as administrators to perform stored XSS attacks, even when the unfiltered_html capability is disallowed, such as in multi-site setups (WPScan).

The vulnerability exists due to improper sanitization and escaping of poll settings in the plugin. The issue specifically affects the custom styles functionality accessible through the plugin's administration interface. According to the proof of concept, an attacker can inject malicious JavaScript code through the CSS settings page at '/wp-admin/admin.php?page=CP_Polls&edit=1&cal=1&item=css&r=0'. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (CISA-ADP).

When exploited, this vulnerability allows high-privilege users to store and execute malicious JavaScript code that will be triggered when other users view pages containing the affected polls. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks against site administrators and users (WPScan).

The vulnerability has been patched in version 1.0.77 of the Polls CP WordPress plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).