CVE-2016-20066

HIGH

WordPress CP Polls 1.0.8 Persistent Cross-Site Scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20066. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in WordPress CP Polls 1.0.8, allowing an attacker to update poll settings and inject persistent XSS payloads via crafted HTTP requests. It also includes a proof-of-concept for a reflected file download attack by manipulating the poll name to execute arbitrary commands.

Description

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content.

Exploits (1)

exploitdb WORKING POC

by i0akiN SEC-LABORATORY · textwebappsphp

https://www.exploit-db.com/exploits/39513

View Code ZIP pw:eip

The exploit demonstrates a CSRF vulnerability in WordPress CP Polls 1.0.8, allowing an attacker to update poll settings and inject persistent XSS payloads via crafted HTTP requests. It also includes a proof-of-concept for a reflected file download attack by manipulating the poll name to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: WordPress CP Polls 1.0.8

No auth needed

Prerequisites: Target WordPress site with CP Polls plugin installed · Administrator session active

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-39513

https://www.exploit-db.com/exploits/39513

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress CP Polls 1.0.8 Persistent Cross-Site Scripting

https://www.vulncheck.com/advisories/wordpress-cp-polls-persistent-cross-site-scripting

Scores

CVSS v3 7.2

EPSS 0.0019

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

dwbooster/CP Polls 1.0.8

Published Jun 15, 2026

Tracked Since Jun 15, 2026