Overview
CVE-2025-12661 identifies a stored Cross-Site Scripting (XSS) vulnerability found in the Pollcaster Shortcode Plugin for WordPress. Versions up to and including 1.0 are affected. The vulnerability stems from insufficient sanitization and escaping of user-supplied input within the ‘pollcaster’ shortcode, specifically the ‘height’ parameter. This allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. When a user visits a page containing the injected code, the script executes in their browser, potentially leading to account compromise or other malicious activities.
Technical Details
The vulnerability resides within the processing of the pollcaster shortcode. The ‘height’ parameter, designed to control the height of the poll display, is not properly sanitized before being rendered in the HTML output. An attacker can inject arbitrary JavaScript code within this parameter. For example:
[pollcaster height="<script>alert('XSS Vulnerability!');</script>"]This payload, when embedded in a WordPress post or page by a user with sufficient privileges (contributor or higher), will execute the JavaScript alert box when the page is viewed. More sophisticated attacks could involve redirecting users to malicious sites, stealing cookies, or modifying website content.
CVSS Analysis
The vulnerability has been assigned a CVSS score of 6.4, classifying it as MEDIUM severity.
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: Low (PR:L)
- User Interaction: Required (UI:R)
- Scope: Changed (S:C)
- Confidentiality Impact: Low (C:L)
- Integrity Impact: Low (I:L)
- Availability Impact: None (A:N)
The score reflects the relatively low barrier to exploitation (low privileges required), but also the need for user interaction to trigger the malicious code.
Possible Impact
Successful exploitation of this vulnerability can have several adverse consequences:
- Account Compromise: Attackers could steal user cookies and hijack accounts.
- Website Defacement: Malicious scripts can modify website content, potentially damaging the site’s reputation.
- Redirection to Malicious Sites: Users can be redirected to phishing sites or sites hosting malware.
- Data Theft: Sensitive data could be extracted from the website and transmitted to the attacker.
Mitigation and Patch Steps
The most effective way to mitigate this vulnerability is to take the following steps:
- Update the Plugin: If an updated version of the Pollcaster Shortcode Plugin is available that addresses this vulnerability, immediately update to the latest version. Check the WordPress plugin repository or the plugin developer’s website for updates. As of this writing, no patch exists, so consider other mitigation steps.
- Remove the Plugin: If an update is not available, or if the plugin is not actively used, consider removing the Pollcaster Shortcode Plugin from your WordPress installation.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block XSS attacks. Configure the WAF to specifically filter requests containing suspicious JavaScript code in the ‘height’ parameter of the ‘pollcaster’ shortcode.
- User Access Restrictions: Review user roles and permissions. Limit contributor-level access to only those users who absolutely require it. Consider implementing stricter content moderation policies.
